What Happens in the First 72 Hours After a Healthcare Breach

You just got the call. Your SIEM is lighting up. Endpoints are encrypting. Or maybe it's quieter than that -- someone found patient data for sale on a dark web forum with your organization's name on it.

Either way, the next 72 hours will define everything. How much data is lost. How much it costs. Whether your organization recovers quickly or spends the next two years cleaning up the mess.

I've been through this with healthcare organizations multiple times. Here's what actually happens, hour by hour.

Hours 0-4: Chaos

The first four hours are pure adrenaline and confusion. Nobody knows the full scope. The IT team is scrambling to figure out what's affected. The phone tree is firing. People are getting pulled out of meetings, off vacation, away from dinner.

The most common mistake in this window is premature action. Someone panics and starts shutting down servers. They kill a domain controller without realizing they just destroyed forensic evidence. They reboot encrypted machines, which in some ransomware variants triggers a secondary encryption payload. They disconnect the backup server from the network, which is smart -- but they do it by pulling the power cable instead of gracefully shutting it down, corrupting the backup catalog.

The second most common mistake is communication chaos. Everyone's calling everyone else. Rumors spread. Someone tells a nurse that "all the patient data is gone." A department head calls a board member directly. Information is flowing in every direction except the right one.

What should happen: activate your incident response plan. Designate an incident commander. Establish a single communication channel. Start documenting everything with timestamps. Do not make changes to affected systems until your forensic team is engaged.

Hours 4-12: Scoping

Once the initial chaos settles, the real work begins. You need to understand what happened, what's affected, and what's still happening.

This is where having a forensic capability -- internal or contracted -- matters enormously. The forensic team starts collecting evidence. Disk images. Memory captures. Network logs. They're trying to answer three questions: How did the attacker get in? What did they access? Are they still in the environment?

That third question is critical and often overlooked. Organizations assume the attack is over because the ransomware has been deployed. But ransomware deployment is the last step of an attack, not the first. The attacker has been in your environment for days or weeks. They may have multiple persistence mechanisms. Cleaning up the ransomware without removing the attacker's access means you get hit again.

During this phase, you're also making clinical decisions. Which systems are down? What's the impact on patient care? Do you need to divert ambulances? Can your clinicians operate on paper processes? Every hospital should have downtime procedures, but most haven't practiced them in years. The transition is always rougher than expected.

Hours 12-24: Notifications begin

By hour twelve, you should have a reasonable understanding of scope. Now the legal and regulatory clock starts ticking.

Your legal counsel needs to be involved from hour zero, but by hour twelve they're driving critical decisions. Who needs to be notified? HIPAA requires notification to HHS within 60 days for breaches affecting 500 or more individuals, but many state laws have shorter timelines. Some require notification within 24 or 48 hours.

Your cyber insurance carrier needs to be notified immediately. Most policies have strict notification requirements, and failing to notify promptly can jeopardize your coverage. The carrier will assign a breach coach -- an attorney who coordinates the response and manages privilege.

Law enforcement notification is a judgment call. The FBI and CISA encourage it, and in some cases it can help -- they may have decryption keys or intelligence about the threat actor. But it also means bringing in an external investigation that you don't control.

Hours 24-48: Recovery decisions

Day two is when the hardest decisions get made. If this is a ransomware event, you're deciding whether to pay. That decision involves your leadership team, your board, your legal counsel, your insurance carrier, and often law enforcement.

The factors are ugly. Can you restore from backups? How long will restoration take? What's the cost of downtime per hour? Is patient data at risk of being published? Is the ransom demand within your insurance coverage?

I've watched organizations agonize over this decision for hours while their clinical operations deteriorate. There's no clean answer. The FBI says don't pay. Your patients need their medications managed. Your surgeons need imaging systems. The pressure is immense.

If you can restore from backups, do it. But verify those backups first. Test the restore. Make sure the backups aren't encrypted too. Make sure the attacker didn't compromise the backup system before deploying ransomware -- because sophisticated groups specifically target backups.

Hours 48-72: Stabilization

By day three, you're either restoring systems from backups, negotiating with an attacker, or doing both. The forensic team is deep into the investigation. Legal is managing notification timelines. Your communications team is handling media inquiries because the local news has the story.

This is also when fatigue sets in. Your IT team has been working around the clock for three days. Mistakes increase. Tempers flare. People start making bad decisions because they're exhausted. If you don't have enough people to rotate shifts, you're going to burn through your team before the recovery is done.

The 72-hour mark is also when the initial crisis transitions to a sustained recovery effort. The acute emergency is stabilized, but full recovery takes weeks or months. Systems need to be rebuilt. Forensic evidence needs to be preserved. Root cause analysis needs to happen. Policies need to be updated. And the organization needs to figure out how to prevent it from happening again.

The lesson

Every healthcare organization will face a breach. The question isn't if, it's when and how bad. The difference between a controlled incident and an organizational catastrophe comes down to preparation.

If you haven't run a tabletop exercise that walks through these 72 hours, you're going to learn all of this under the worst possible conditions. If you don't have forensic capabilities on retainer, you'll spend the first critical hours trying to find someone to help. If your incident response plan lives in a binder nobody's read, it won't help you when the call comes.

GuardsArm provides healthcare organizations with incident response planning, tabletop exercises, and retained forensic capabilities so the first 72 hours go as well as they possibly can. We've been through real breaches with real healthcare clients, and we build that experience into every plan we create. If your IR plan hasn't been tested, or if you don't have one at all, that's a gap we can close before you need it.