Skip to main content

What to do if you are a victim of ransomware

TMLT is committed to sharing information with our policyholders and the health care industry on how to protect your sensitive data. In the days following the international ransomware attack, the federal government and private cyber security firms continue to share information about what to do if you are a victim of ransomware.

Having an action plan is essential, as even the most prepared medical practice may become a victim.  Sharing the plan with all members of your workforce is even more important, as any one of them could be the first to encounter the ransom attack.

The following steps make up a ransomware action plan that could help you and your IT staff members preserve sensitive data and limit the extent of a breach.

  1. Disconnect the affected device from the network.
    1. If the device is connected with a network cable, disconnect it immediately.
    2. If the device is connected wirelessly; hold the power button down until the light goes off.
  2. Alert the rest of your staff about what is going on.
  3. Disconnect shared drives
  4. Notify your IT staff/consultant immediately.
    1. Talk to the person who got the notice.
      i.Did they open any unusual emails?
      ​ii.Did they enable macros?
    2. Update and run security software.
    3. Do not wipe the server and affected devices. They may contain evidence to help the authorities identify the source of the attack or any breaches that may have already occurred. This is especially true in health care, when evidence may point to a HIPAA Breach that must be reported.
    4. Restore your data from backup files, if possible.
  5. Notify TMLT’s Claims Department to report the security incident under your cyber insurance.
  6. On May 16, 2017, Health and Human Services (HHS) sent an email to subscribers of its HIPAA announcements and news listserv with the following recommendations:
    1. “Please contact your FBI Field Office Cyber Task Force immediately to report a ransomware event and request assistance. These professionals work with state and local law enforcement and other federal and international partners to pursue cyber criminals globally and to assist victims of cyber-crime.         
    2. Please report cyber incidents to the US-CERT and  FBI's Internet Crime Complaint Center.
    3. For further analysis and healthcare-specific indicator sharing, please also share these indicators with HHS’ Healthcare Cybersecurity and Communications Integration Center (HCCIC) at"

For more information, follow TMLT on social media or email us your questions at

About the Author

Cathy joined TMLT in 2010 and serves as the Senior Compliance and Risk Management Manager. Cathy leads the development and implementation of TMLT’s cyber risk management services. Cathy Bryant can be reached at