Your Employee Just Clicked a Phishing Email. Here’s What Happens Next.
It’s a Tuesday afternoon. Your front desk coordinator, Jessica, gets an email that looks like it’s from your EHR vendor. The subject line says “Action Required: Verify Your Account to Avoid Service Interruption.” It looks completely normal β logo, professional formatting, a blue button that says “Verify Now.” She clicks it, types in her username and password, and goes back to checking patients in.
Nothing looks wrong. The office keeps running. Nobody panics.
But something just started that your whole practice will feel for months.
The First 15 Minutes: What You See vs. What’s Actually Happening
From your side of the office, nothing is different. Maybe Jessica notices the login page looked a little off, or maybe she doesn’t notice at all. Either way, she moves on.
On the attacker’s side, it’s a different story. The page Jessica landed on was a nearly perfect copy of your vendor’s login screen β but it was controlled by someone who just received her username and password the moment she typed them. Within seconds, an automated system attempts to log into her real account using those exact credentials. If your email doesn’t require a second verification step, they’re in before she’s finished with her next patient.
From inside her email account, the attacker starts quietly. They search her inbox for keywords: payment, invoice, bank, wire, patient, insurance, credentials, VPN, password. They look for email threads with your billing team, your accountant, and any vendors you pay regularly. They’re not in a rush. They’re reading.
The Next Few Hours: The Part You Really Can’t See
This is where things get technical β and this is also where most small medical offices have no visibility whatsoever.
If the attacker finds that Jessica’s email login also works on your practice management system, your patient portal, or your shared network drives β because people reuse passwords β they’ll try all of those too. This is called credential stuffing, and it’s completely automated. In environments where there’s no active monitoring of login behavior across systems, this lateral movement can go undetected for days or weeks.
At the same time, the attacker may set up a mail forwarding rule inside Jessica’s inbox β a hidden rule that silently copies every email she receives to an outside address. This is a favorite technique because it gives them ongoing access to your communications even after you’ve changed her password. Most email clients don’t show forwarding rules on the main screen. You’d have to know to look.
If your network has a shared file server β and most medical offices do β the attacker will eventually try to reach it. Once they have access to shared storage, they have access to whatever is on it: patient records, scanned insurance cards, billing spreadsheets, HR files. In some attacks, this stage ends with ransomware β software that encrypts every file it can reach and leaves a note demanding payment to restore them. In others, the attacker simply copies what they want and disappears quietly, leaving no obvious trace until a compliance audit or patient complaint surfaces months later.
According to data published by the HHS Office for Civil Rights, more than 70% of major healthcare data breaches in 2024 and 2025 involved exactly this kind of cyberattack β not a sophisticated government-level hack, but an ordinary phishing email that found its way to someone’s inbox on an ordinary afternoon.
What HIPAA Says About All of This
Here’s the part that surprises a lot of office managers: HIPAA doesn’t only apply if you get caught doing something wrong. It also applies the moment you discover that patient data may have been accessed without authorization β even if nothing has been published or misused yet.
Under the HIPAA Breach Notification Rule, your practice is required to notify affected patients, report the breach to the HHS Office for Civil Rights, and β if more than 500 patients in a state are affected β notify local media, all within 60 days of discovering the breach. The investigation to determine exactly what was accessed, when, and by whom? That has to happen first, and it has to be documented carefully.
In 2023, a Top of the World Ranch Treatment Center in Illinois reported a phishing breach that exposed fewer than 2,000 patient records β a relatively small number. OCR investigated and found that the practice had never completed a required Security Risk Analysis. The settlement cost them a financial penalty on top of the breach response costs. The breach itself was almost beside the point. The missing paperwork was the violation.
A small medical practice in Alpharetta, Georgia didn’t get off with a fine. After a ransomware attack, they were forced to permanently close their doors.
Three Things You Can Actually Do Right Now
Not everything requires an IT team. There are a few things any office manager can put in place or push for today β and they genuinely matter.
Turn on two-factor authentication for your email accounts. If your office uses Microsoft 365 or Google Workspace, both platforms let administrators enable this from the account settings without any technical installation. With two-factor authentication active, even if an attacker captures Jessica’s password, they still can’t get into her email without a code that only she receives on her phone. This one step stops the majority of phishing-based account takeovers cold. If you’re not sure how to find this setting, search “[your email platform] + enable MFA for all users” β both Microsoft and Google publish step-by-step guides for this specific task.
Create a simple “I clicked something weird” rule for your team. Right now, most employees who suspect they clicked a bad link say nothing, because they’re embarrassed or they’re not sure it was a problem. That delay is what turns a small incident into a big one. Tell your team clearly: if you click a link and something feels off β the page looked strange, you typed your password somewhere unexpected, the browser did something unexpected β tell someone immediately. No judgment. The faster a potential compromise is reported, the more options you have to contain it.
Know who you would call in the first hour of a real incident. This sounds obvious, but most small practices don’t have an answer to this question. If you discovered tomorrow morning that your file server was encrypted and a ransom note was on every computer screen, who is the first call you make? Write down that number before you need it.
What You Can’t Handle Without Help β and Why That’s Okay
Even if you do all three of those things perfectly, a real incident response goes far beyond them.
Determining exactly what was accessed requires pulling and analyzing log files from your email platform, your network equipment, your servers, and your endpoints β cross-referencing timestamps, IP addresses, and user activity to reconstruct a timeline of what the attacker saw and touched. This process is called digital forensics, and it’s what determines whether you’re reporting a confirmed breach or a contained incident. The difference matters enormously for HIPAA purposes.
Isolating a compromised system without triggering a ransomware payload to detonate β if one is present β requires knowing the difference between unplugging a network cable and running a remote isolation command through your endpoint management software. Getting this wrong can mean the difference between one encrypted workstation and an encrypted server room.
The HIPAA breach notification letters themselves must include specific elements: a description of what happened, the types of information involved, what steps the practice is taking, what affected individuals can do to protect themselves, and contact information for questions. They need to go out to the right people within the right timeframe, and the documentation of the entire process needs to be retained for six years.
Total recovery costs for a healthcare ransomware incident averaged $2.57 million per incident in recent reporting β not because the ransom demand was that high, but because of the investigation, the remediation, the notification process, the regulatory response, and the operational downtime while systems are restored. The ransom demand itself, on average, has actually come down. The surrounding costs have not.
The Real Question Isn’t “Could This Happen to Us?”
Healthcare practices of every size are being targeted β specifically because they hold valuable patient data, often run lean IT operations, and are under regulatory pressure that makes paying a ransom feel faster than investigating. 88% of healthcare employees opened phishing emails in 2024, according to cybersecurity research cited in HIMSS reporting. Not clicked β opened. The actual click rates are high enough that the question for a small practice isn’t whether a phishing email will land in someone’s inbox. It’s whether the environment around that inbox is built to contain what happens next.
A practice that has multi-factor authentication active, monitored endpoints, a maintained backup that isn’t connected to the same network as everything else, and a documented incident response plan is not invincible. But it’s a practice where a bad Tuesday afternoon stays a bad Tuesday afternoon β not a six-month recovery, a regulatory investigation, and a letter to every patient you’ve seen in the last three years.
If you’re not sure what your current environment looks like from a security standpoint β what’s monitored, what’s backed up, what would happen if something did go wrong β that’s the right question to start with. It’s exactly the kind of conversation worth having before the phishing email, not after.
