By Brian Butterfield, CISSP
I'll never forget the day I walked into a local healthcare office that thought they were "all set"
with cybersecurity. They had antivirus. They had a professional IT company. On the surface,
everything looked fine.
But when I suggested a simple scan, they brushed it off. 'We're between vendors,' they said.
'We'll circle back once things settle.' That hesitation would prove costly.
The Discovery
Months later, when they finally let us in, I expected the usual—outdated patches, weak passwords, maybe a few suspicious emails. Instead, I found something chilling. Their systems had been infected since 2023. Nearly two years. And not a single person knew.
What We Found Hiding in Plain Sight
• 3 actively compromised devices
• 5 suspicious Windows processes running silently
• 13 persistence footholds — ensuring the malware always came back
• 29 altered registry entries designed to stay invisible
• PowerShell access abuse — giving attackers a remote toolkit
Could Patient Data Have Been Stolen?
We couldn't prove with certainty that patient records were stolen. But the malware in place
was built to steal passwords, EHR logins, financial data, and files.
And here's the cold, hard truth: under HIPAA, not knowing is no defense. If data was
accessible to attackers—even if you can't prove it left the building—regulators can treat it as a
reportable breach.
That means:
• Mandatory patient notification
• Federal OCR investigation
• Public posting on the HHS "Wall of Shame"
• Fines from $50,000 to $1.5 million per violation
• Loss of patient trust
And many cyber liability policies won't cover you if "reasonable security controls" weren't in
place.
The Villains in the Story
1. ClickFix Malware - tricked staff into running a command that handed attackers the keys.
2. URSnif Trojan - a credential-stealing parasite targeting patient data, EHRs, and financial
accounts.
Why It Stayed Hidden
This was professional-grade malware: relaunched after every reboot, disguised as legitimate
processes, and reinstalled itself even after "removal." Antivirus alone never stood a chance.
The Hard Lesson for Healthcare
This office wasn't reckless. They had antivirus. They had IT support. But HIPAA doesn't care
about 'good intentions.' If data is at risk, you're liable. If you can't prove it wasn't stolen,
regulators assume it was.
Final Thought
Cybercriminals don't always crash systems or lock files with ransomware. Sometimes they
just sit quietly, watching, collecting, waiting. That's what happened here. Two years of silent
compromise. Two years of HIPAA exposure — and no one knew.
If you're not 100% certain your systems are secure, monitored, and compliant — now is the
time to find out.
■ Book a Free Cybersecurity Risk Assessment Call with Microtech.
We'll scan your systems, show you exactly what's hiding in plain sight, and explain the results
in plain English. No jargon. No pressure. Just clarity — before regulators or attackers force
your hand.
