If you’re running a multi-site healthcare organization, you’ve probably had the ransomware conversation with your board. Not if it will happen, but what you’ll do when it does. And the question that always comes up first is surprisingly simple: should we just pay?
It’s a fair question. The logic seems straightforward. Pay the ransom, get your data back, move on with business. But after working with hundreds of breached healthcare organizations, Tim Grelling, Director of Information Security at Focus Solutions, has a different perspective. The ransom payment often becomes the smallest part of your total breach cost.
The ransomware payment isn’t your biggest problem. It’s often the smallest line item in your total breach cost. What actually forces practices out of business is everything that happens after that payment decision, whether you pay or not.
Multi-site healthcare organizations face a unique calculation. Patient data across all your locations is now at risk. Every acquisition you’ve closed, every integration you’ve completed, and every state you operate in adds another layer of complexity and cost.
But here’s what most leadership teams don’t realize until they’re in the middle of a breach: paying the ransom is just the beginning of your problems, not the end. The real costs, the ones that force 50% of small practices out of business, start after you make that payment decision.
This article gives you the framework you need to understand what paying actually buys you, how to calculate the true financial impact, and what you should be doing right now to prepare for this scenario before it happens.
Do you think your practice is protected? Think again.
These cybersecurity myths are putting healthcare practices at serious risk.
What does paying the ransom actually get you?
When leadership teams face that ransom demand, they’re looking at what seems like a massive number. But here’s what Tim has learned from hundreds of breaches: the ransom is often your cheapest line item.
Pay $50,000 in ransom? Your healthcare data breach costs have just started. That payment buys you two things: a promise not to leak data (from criminals who already proved they can’t be trusted) and possibly faster decryption than rebuilding from backups.
But whether you pay or not, the real healthcare data breach costs are identical: forensic investigations ($200,000+), regulatory fines, patient notifications ($5 per patient across thousands of records), credit monitoring for years, and potential corporate integrity agreements that drain resources for half a decade.
The investigation still happens
Your forensic team needs to determine the full scope of the breach. Which systems were accessed? How long were attackers in your network? What data was actually stolen versus just encrypted? These questions matter for regulatory reporting, and paying the ransom doesn’t answer any of them.
The notification requirements don’t change
You’re still legally required to report to the Office for Civil Rights within 60 days. Patient notifications still go out. Your state breach notification laws still apply across every location in your platform. For a 20-location MSO, that means managing different requirements in each state, coordinating notifications across thousands of patients, and potentially dealing with multiple state attorneys general. Paying attackers doesn’t eliminate a single compliance obligation.
The trust problem nobody talks about
Tim Grelling puts this bluntly: “Let’s be honest, we’re negotiating with bad guys who broke in and stole our stuff and they say, ‘If you give me a bunch of Bitcoin, I promise I won’t resell it on the dark web.’ And we’re like, ‘Oh, yeah. They’re very trustworthy.’ There is actually no guarantee.”
The data may already be sold before you even begin negotiating. Multiple threat actor groups may have accessed your systems. And even if this particular group honors their promise, there’s zero legal recourse if they don’t.
The harsh reality is that whether you pay or not, you’re still facing the same forensic investigations, the same regulatory requirements, and the same breach costs that can reach into the millions. The ransom is just the entry fee to a very expensive game.
The real healthcare data breach costs that force practices to close
The ransom payment itself is often the smallest line item in your total breach cost. IBM’s 2024 Cost of a Data Breach Report found that the average breach costs $4.88 million. Healthcare organizations face even higher costs due to regulatory requirements and the sensitive nature of protected health information.
But here’s the stat that should wake up every healthcare executive: about 50% of small practices don’t survive a major breach. “They usually have to either file bankruptcy or basically shut down,” Jeffery Daigrepont from Coker Group mentions. And this happens even when cyber insurance kicks in.
The immediate costs hit your cash flow hard
These hit fast. Legal fees for breach counsel start accumulating within hours. Forensic investigation teams charge premium rates for emergency response.
You’re paying for business interruption across multiple sites while systems are down. Emergency IT remediation and security hardening can’t wait. And if you decide to pay the ransom, that’s an additional cost on top of everything else.
The hidden costs that compound over time
Mandatory credit monitoring for affected patients isn’t a one-time expense. It continues for years, and you’re paying for every single patient whose data was accessed. According to HHS breach reports, large breaches affecting 500+ individuals trigger these ongoing obligations.
Corporate integrity agreements can be even more expensive. “You might have to come under a corporate integrity agreement where you have to submit yourself to random audits or routine audits to make sure that you’re compliant,” Jeffery explains.
These agreements can last for years and require dedicated compliance resources at every location. Your cyber insurance premiums will increase dramatically if your carrier doesn’t drop you entirely.
Patient churn accelerates as families lose trust. And perhaps most damaging for growing organizations, your expansion plans grind to a halt. Acquisitions get delayed or cancelled. Private equity (PE) sponsors demand full platform-wide security audits before approving additional investments.
The multi-site multiplication effect destroys economies of scale
Everything that makes MSOs efficient in normal operations works against you in a breach. Your centralized systems mean one breach affects all locations simultaneously. Standardized processes mean attackers who compromise one site have the blueprint for all.
Each state has different breach notification requirements and timelines. California’s strict privacy laws differ from Texas’s requirements and Florida’s rules. You need legal counsel familiar with each jurisdiction.
Your PE sponsors will demand comprehensive security audits across the entire platform before approving any additional investment. Planned acquisitions get delayed or cancelled. Growth capital gets redirected to security remediation.
Why your cyber insurance might not save you
Five years ago, cyber insurance was a safety net. “Ransomware was running wild, cyber insurance was paying out left and right,” Tim recalls from his experience in incident response. Those days are over.
Today’s reality is harsh. “About a third of conversations start with ‘my cyber insurance company is asking for X, Y, and Z’ or ‘our premiums are going to quadruple,'” Tim explains. The highest increase he’s seen? Six times the original premium.
The requirements most practices don’t meet
Modern cyber insurance requires 10-20 specific security controls before they’ll issue or renew. Multi-factor authentication everywhere. 24/7 monitoring and alerting. Regular security awareness training with testing. Documented incident response plans are tested quarterly. Encrypted backups are stored offline and tested regularly.
Here’s the catch: “It’s up to you to say yeah, we have that or not. There’s no audit, there’s no attestation from your cyber insurance company,” Tim notes.
When a breach happens, your carrier asks one question: “Were the required controls in place and functioning during this breach?” If you can’t prove they were, your claim gets denied. According to CISA guidance, inadequate cybersecurity practices are increasingly cited as reasons for claim denials.
What coverage actually provides (when you qualify)
If your controls are properly documented and functioning, cyber insurance can be valuable. Most policies provide access to preferred incident response vendors, resources for creating incident response plans, and sometimes reduced rates on security awareness training.
Think of cyber insurance like your health insurance. It helps, but you still have significant out-of-pocket costs. The deductibles, co-insurance, and coverage gaps in a major breach can still reach millions.
Making the decision: a framework for leadership
“It’s kind of a philosophical question, but it’s more of a business decision,” Tim explains about the payment choice. Your cyber insurance company or incident response vendor might recommend payment, but ultimately, leadership must decide based on your specific situation.
Critical factors for multi-site organizations
Your decision should be based on specific factors unique to your situation. What data was actually accessed, and how sensitive is it? Can you function without the encrypted systems, and for how long?
Based on what you know now, are you already required to report this breach? Will your cyber insurance policy cover the ransom, and can you prove your required controls were functioning?
Does paying versus not paying affect potential patient lawsuits? (According to Jeffery, “I don’t believe so.”) And critically, what’s the cost of extended downtime versus potentially faster recovery?
The variables that influence your answer
Your backup and recovery capabilities matter enormously. Organizations with tested, working backups have more negotiating power. The time sensitivity of your operations affects the calculation. Some specialties can tolerate limited downtime better than others.
Your regulatory environment and reporting requirements change the math. Financial reserves and actual insurance coverage (not just what you think you have) determine what’s financially feasible.
And your reputational considerations in your market, plus PE sponsor or board guidance and risk tolerance, all factor into the final decision.
Why can’t you wait until you’re breached to decide?
“When you’re in the middle of a ransomware attack, that’s not the time to realize you don’t know who to call and what to do,” Tim emphasizes. Your incident response plan should include decision trees, pre-authorized spending limits, and clearly defined roles for key stakeholders before a crisis hits.
What scaling healthcare organizations must do today
The difference between organizations that survive breaches and those that don’t isn’t luck—it’s preparation. Here’s what every multi-site healthcare organization needs immediately:
Review your cyber insurance policy immediately
Don’t wait until your systems are encrypted to discover what your policy actually covers. Document which required controls you have in place right now. Identify gaps between policy requirements and your current state.
And leverage the free resources most carriers provide for incident response planning and security awareness training.
Create or update your incident response plan
Who makes the payment decision? CEO, board, or committee? What are the spending authorities during a crisis? Who are your preferred incident response vendors? What’s your communication plan for patients, staff, and media? How will you coordinate across multiple locations and states?
Implement non-negotiable controls
“If you don’t have multi-factor authentication, please do that today,” Tim urges. Because even if someone does click on phishing, multifactor often can save you from that.
According to Microsoft security research, MFA blocks 99.9% of automated account compromise attacks.
You’ll also need 24/7 monitoring and alerting, regular security awareness training for all staff, and documented backup and recovery procedures that you’ve actually tested.
Conduct regular testing
Run tabletop exercises with your leadership team at least annually. Test your backup restoration procedures quarterly to ensure they actually work.
Validate that your security controls are functioning as designed, not just documented. And review and update your plans as your organization grows and adds locations.
Have the board-level conversation now
For PE-backed organizations, be prepared to demonstrate systematic risk management across your entire platform. Document your cost-benefit analysis of prevention investments versus potential breach costs. And ensure your incident response plan scales across all locations and can be executed consistently at every site.
Prevention costs less than recovery every time
The ransom payment is the smallest part of your total breach cost. Whether you pay or not, you’re facing the same investigation, remediation, and recovery process. But you have complete control over one critical factor: how prepared you are when it happens.
Organizations that survive breaches have security frameworks and incident response plans in place before disaster strikes. Organizations that fail are scrambling to figure out insurance coverage and vendor contacts while systems are down and patient data is exposed.
For MSOs managing complex, multi-site operations, incident preparedness isn’t optional. It’s a business continuity requirement that protects your patient relationships, your growth trajectory, your relationship with PE sponsors and board members, and your providers’ ability to continue delivering care.
Schedule a risk assessment with Focus Solutions. As your Unified Partner for Managed IT, Managed Security, and Managed Data, we help you build incident response frameworks that scale with your platform—from insurance policy review to technical controls implementation to tested recovery procedures. Let’s ensure you’re never making the “to pay or not to pay” decision without the preparation that protects your entire organization.
