Nightmare before Christmas success story: cyber hacker stopped

By Shawna Bertalot, CIC, ACI, WisMed Assure President

Shawna Bertalot

Message from IT Manager: “Unusual activity has been detected on your exchange and our files cannot be backed up.”

This is not how any clinic administrator or managing partner wants to start their Monday morning, but exactly what happened to a long-time WisMed Assure client last December. This highly experienced, professional administrator of a 15-physician independent clinic with over 50,000 patient records was facing a situation she had never experienced before.

“These things always seem to happen over the weekend,” she noted as she recounted how she first learned about a hacker that had made repeated attempts using several different employee sign in credentials to access the clinic’s system. The Wisconsin Department of Justice contacted the clinic’s IT Manager regarding suspicious activity.

Her first questions were, “What exactly is happening? What access or information have they gained? And how do we stop them?”

Her first call was to an outside IT vendor the clinic had used in the past. She was immersed in trouble shooting the immediate issues and it wasn’t until about a week later that she remembered that they have Cyber Liability Insurance and called WisMed Assure.

“In hindsight, that should have been first call, and it is in our policies and procedures now,” she said.

The cyber insurance carrier was extremely responsive. Most policies say that the insurance carrier will select the IT, Legal and other vendors because they have pre-approved and negotiated rates to save everyone time and money. The carrier made an exception and approved the IT vendor the clinic had first contacted so the investigation could proceed.

It took approximately 10 days to identify exactly what was happening, confirm patient and clinic data was secure and develop a plan to stop the attacks. That plan involved removing and restoring Microsoft Exchange, blocking access, using temporary email addresses and ultimately completely rebuilding the clinic’s network. Fortunately, no personal health or personal financial information was breached. The insurance carrier also hired legal counsel to review the forensic IT reports and confirm that no notifications were necessary.

Fortunately for this clinic the hacking attempts were caught and stopped before there was any access to confidential data or impact to patient care. It’s not hard to imagine the stress, worry and disruption this caused the clinic administrator, partners and staff. The IT forensic and legal consulting fees were very costly. The bulk of the investigation and restoration expenses were covered by the insurance policy. The clinic decided to assume some costs to move to cloud-based hosting and implement some additional measures to upgrade their security.

The clinic manager concluded “we learned a lot about what to do and not to do when something like this happens again,” and she believes, “It’s not a matter of if, but when.” She was very appreciative they had robust cyber insurance with a carrier that was responsive and successful in stopping a hacker that could have caused a lot more damage.

If you want more information about cyber threats and insurance coverage, contact your WisMed Assure agent or

Note: This article is for informational purposes only and should not be considered as insurance advice related to your specific policy or situation. Please consult with a qualified insurance advisor or professional before making any policy decisions. Full disclaimer and contact information.

Leave a Reply

Your email address will not be published. Required fields are marked *