The numbers small practices ignore
Healthcare data breaches cost an average of $7.42 million per incident in 2025 — the highest of any industry for the 14th consecutive year, according to IBM. The Change Healthcare ransomware attack was confirmed to have impacted roughly 192.7 million individuals, nearly two thirds of the US population.
The detail that should bother clinic owners is time, not ransom size. Healthcare has the longest breach lifecycle of any industry at 279 days to identify and contain, and that detection lag is the cost driver, since dwell time is what turns a $1 million incident into a $10 million one. By the time you see the ransom note, the attacker has been reading your files for months.
This is a Canadian problem
Our own record says so. In October 2023, a ransomware attack crippled IT systems at five hospitals in southwestern Ontario, forced cancellations of surgeries and appointments, pushed facilities into "Code Grey," and stole personal health information from more than 516,000 patients, with recovery taking weeks.
Toronto's SickKids was locked down by ransomware in December 2022, and a 2021 attack on Newfoundland and Labrador's health network delayed thousands of procedures at an estimated cost of $16 million.
You are not too small to attack. You are the right size to attack at volume.
Small practices are explicitly on the menu. Because attackers adjust ransom amounts to a target's perceived ability to pay, they can hold an individual physician office's systems for ransom in the C$3,000 to C$5,000 range and still expect a reasonable likelihood of payment.
Why clinics are soft targets
Hospitals and clinics have low tolerance for downtime, complex mixes of old and new systems, and often lag in security resources — while stolen medical records fetch high prices because of the personal detail they contain.
The playbook has evolved. Modern healthcare ransomware follows a double extortion model where criminals steal patient data before encrypting systems, and groups now exfiltrate data within hours of the initial breach.
Your vendors are a threat you didn't sign up for. Healthcare breaches involving a business associate or vendor doubled in one year, jumping from 15% to 30% of all incidents. Every EMR provider, billing service and AI tool you connect to is a door into your practice that someone else controls.
And smaller organizations suffer most. Community hospitals, rural facilities and safety-net clinics run older equipment with smaller IT staffs and less bargaining power, are least able to patch quickly, and come back online last.
What reduces the risk
Shrink the detection gap
The 279-day dwell time is the cost driver you can attack directly. Continuous monitoring by a security operations centre (SOC) is the difference between catching an intrusion in hours and discovering it after nine months.
Make backups un-encryptable
Traditional backups are often encrypted alongside production systems during attacks, while immutable backups cannot be altered or deleted by ransomware, enabling recovery without paying. If the attacker can reach and scramble your backup, it is a second hostage, not a backup.
Lock the obvious doors
- Patch fast. Up-to-date patching for internet-facing systems.
- Least privilege. Unique logins with least privilege and MFA everywhere feasible.
- Segment the network. Network segmentation separating clinical devices from general IT.
- Train for phishing. Most successful ransomware attacks begin with phishing emails or social engineering.
Interrogate your vendors
With a third of incidents arriving through a business associate, "who has access to our data and how do they secure it" is a mandatory question.
Write the plan before you need it
A tested incident-response plan turns a catastrophe into a bad week. Improvising during a live Code Grey turns it into a closure. The CMPA outlines a custodian's duty to notify affected patients, the privacy commissioner and the ministry of health after a breach, and recommends contacting the CMPA and law enforcement as soon as possible — especially after a ransomware attack. Have those numbers written down before the screens lock.
Buyable resilience, built for small practices
Ransomware in healthcare is a when, not an if. The clinics that survive it well assumed it was coming, detected it early, and recovered from backups the attacker couldn't touch. For a small practice without an in-house security team, that capability is buyable — and it costs far less than $7.42 million.
Scalogic provides Ontario clinics with 24/7 SOC monitoring, immutable backups, and the fundamentals that keep ransomware from becoming a Code Grey. Built for practices that can't staff a security team, because attackers already know you can't. See our healthcare IT services and Cybersecurity & SOC →
Frequently asked questions
Are small clinics really targeted by ransomware?
Yes. Attackers adjust ransom demands to a target's ability to pay and can hold a single physician office for ransom in the C$3,000 to C$5,000 range and still expect payment. Small practices are attacked at volume, not overlooked.
What is a Code Grey in a healthcare setting?
Code Grey is the hospital emergency code for a loss of critical systems or infrastructure, including IT outages. A ransomware attack that encrypts clinical systems can force facilities into Code Grey, cancelling surgeries and appointments.
What single change reduces ransomware cost the most?
Shrinking the detection gap. Healthcare has the longest breach lifecycle of any industry at 279 days, and that dwell time is the main cost driver. Continuous SOC monitoring catches intrusions in hours instead of months.
Why do backups fail to protect clinics during ransomware?
Traditional backups are often encrypted alongside production systems during an attack, so they become a second hostage. Immutable backups cannot be altered or deleted by ransomware, enabling recovery without paying.
This article is general information, not legal or medical advice. Statistics are drawn from publicly reported figures including IBM's Cost of a Data Breach research and reporting on the Change Healthcare and southwestern Ontario incidents.