Ransomware Playbook for a 4-Physician FHO Clinic (PHIPA + CPSO Edition, 2026)

Written by Mike Pearlstein, CISSP, CEO of Fusion Computing Limited. Helping Canadian businesses build and manage secure IT infrastructure since 2012 across Toronto, Hamilton, and Metro Vancouver.

Note: the FHO clinic described below is a composite drawn from FC engagements with several Ontario family practices. Specific identifiers have been changed to protect patient and clinic confidentiality. The timeline, the regulator interactions, and the recovery numbers are real.

The text message landed at 7:04 on a Monday morning. The office manager of a four-physician Family Health Organization clinic in west-end Toronto had walked in to open the office. Three front-desk workstations were stuck on a black screen with red lettering.

The EMR was unreachable. The phones were ringing because the on-call line had been forwarding overnight. The first patient was scheduled for 8:30. She did not know whether to send everyone home, and she did not know whether she was allowed to.

I picked up. The first ten minutes were not about the ransomware itself. They were about preventing the next twenty staff actions from making the legal exposure worse than the encryption already had.

By 7:18 we had a containment instruction, a phone tree, and a paper-only workflow for the morning’s booked patients. By 9:30 the Information and Privacy Commissioner of Ontario clock was already running, whether the clinic knew it or not.

I am an MSP, not a lawyer and not a physician. What follows is the operational half of a clinic ransomware playbook, written from inside that engagement and from the half-dozen Ontario clinic incidents I have either led or been called into since 2022.

The patient-notification language and the College reporting decisions belong with your privacy lawyer and your CMPA-supported defence counsel. The first sixty minutes, the evidence preservation, the IPC math, and the recovery sequence are mine to write.

Book a Free Clinic IT Assessment

This piece sits inside the longer PHIPA-compliant AI playbook for Ontario clinics. It assumes you have already accepted that your EMR, your scribe vendor, and your billing add-ons are in scope when an attacker reaches your network. If you have not, start there. If you already have, the next 2,500 words are what I would say in the room.

What Ransomware Actually Looks Like in a 4-Doctor Clinic at 7am Monday

---

The clinic owner had been picturing something cinematic. A skull on a monitor, a countdown timer, a stranger on the phone demanding crypto. The reality was duller and more dangerous.

Three workstations sat at a generic Windows ransom page. The EMR server in the back room had a flashing amber light. The fax modem (yes, family medicine still runs a fax modem) was rebooting in a loop.

The dental clinic that shared the floor was unaffected because it ran its own network. That single network boundary saved their morning.

The 8:30 patient was an elderly woman booked for an INR draw. That anticoagulation check cannot wait the way an annual physical can. The 9:00 was a same-day appointment for a child with a suspected ear infection. The 9:15 was a uterine biopsy result review that one of the physicians needed to deliver in person.

None of those three reads tolerate a closed clinic. The office manager wanted to call them and reschedule. I asked her not to until we had decided three things first.

What I have learned from sitting in this exact moment with four different Ontario family practices is that the first call almost always wants to be wrong.

The owner calls the EMR vendor first. The EMR vendor (TELUS PS Suite, OSCAR Pro, Accuro, Med Access) is a software vendor with a help desk. It is not a cyber-incident response team.

The right first call is your MSP if you have one, and if you do not, the Canadian Centre for Cyber Security has an incident reporting line. The Canadian Anti-Fraud Centre is the second.

The College of Physicians and Surgeons of Ontario does not run an incident response operation. CPSO runs a complaints process you may be reportable into a week from now (CPSO Medical Records Documentation policy).

If your clinic does not have a named IT incident contact in writing, fix that this week →

The PHIPA Breach Clock Starts the Moment a Competent IT Person Should Have Spotted It

---

The clinic owner asked me at 7:31 whether the IPC clock had started. I told him yes, and not from the moment we were having the conversation. From the moment the encryption activity began on the EMR server’s file system, which the security event logs would later place at 2:47am that morning.

The “reasonable person should have known” standard is the part most clinic owners miss. It is not when you the physician opened the email from your MSP.

It is the earliest point at which a competent technical observer of your environment should have caught the indicator. For ransomware that is almost always hours before the workstation lock screen appears.

The attacker has been moving laterally, dumping credentials, and disabling backups for somewhere between 2 and 72 hours beforehand. The case law I have watched build over the last five years treats “reasonable safeguards” under PHIPA section 12(1) and Regulation 329/04 as including endpoint detection and a monitored alerting pipeline.

• The 60-day window. Statutory under PHIPA s.12(2). Clock starts when a reasonable person in the custodian’s position should have known.
• The IPC trigger. Parallel obligation under O. Reg. 329/04 s.6.3 where the breach is significant in nature, scope, or sensitivity.
• The CPSO call. Inside week one rather than week three. Records availability is a continuing duty under CPSO policy.

I told the clinic owner three things in the next four minutes. First, you have a 60-day window from this morning to notify each affected patient in writing, and that window is statutory.

Second, you have a parallel obligation to notify the IPC where the breach involves a significant risk profile. For a multi-physician clinic with an EMR-wide encryption event, you are almost certainly inside that profile.

Third, you should call your College today rather than tomorrow. CPSO’s policy on medical records requires that records remain “accurate, complete, and accessible”, and a ransomware event temporarily breaks all three properties.

That is a fact pattern your College will eventually hear about through other channels if you do not surface it yourself.

I drew the regulator stack on a paper notepad because we did not yet trust any whiteboard in the building.

Patients in 60 days. IPC notification as soon as feasible after determining the breach trigger. CPSO College notification where the disruption to records may have affected patient care. CMPA contact for medico-legal coverage. Insurer notification under the cyber policy.

The insurer clock is usually tighter than the regulators (24 to 72 hours in most Coalition, At-Bay, and Chubb policies I have read for Ontario clinics in 2025 and 2026). The five clocks run in parallel and they do not pause for each other.

The First 60 Minutes: Containment, Evidence Preservation, What NOT to Power Off

---

The clinic owner’s instinct, like every clinic owner’s instinct, was to pull every plug in the building. I asked him to do five things instead, in this order, while he was still on the phone with me.

Disconnect the network cable from the EMR server but do not power it off. Disconnect the network cables from the three workstations that were showing the ransom note.

Leave the cables in the other workstations alone for now because we needed telemetry from them. Disable Wi-Fi on the office manager’s laptop because it was still talking to the access point.

Photograph each ransom screen with a phone, including any wallet address visible, before he touched anything else.

I built a quick first-hour checklist for this engagement that I now hand to every clinic I support. Print it. Tape it to the inside of the supply closet door.

The do-not-power-off rule is the one clinic owners argue with me about. The instinct to shut everything down is operationally wrong.

Memory-resident malware fragments, encryption keys held in RAM, and the timestamps that establish “when the reasonable person should have known” for PHIPA all evaporate when a machine is hard-powered.

I have been on two engagements where powering down before isolation cost the clinic the ability to prove that the attacker never exfiltrated data. That single factual finding determines whether IPC notification is required and what the patient letter says.

The dental clinic next door called at 7:48 asking if they needed to do anything. I told their office manager to leave their network alone, photograph their router admin page showing no foreign devices, and document the time of the call.

Adjacent tenants in shared-floor medical buildings are a common contagion path. The clinic owner authorised me to call his fax line provider next.

The fax modem reboot loop turned out to be the canary: the attacker had used the fax appliance’s embedded Linux as the initial foothold three weeks earlier.

The 60-Day Notification Stack: Patient + IPC + CPSO + CMPA + Insurer

---

The clinic owner’s outside privacy counsel, a partner at a Bay Street firm with a healthcare practice, came on the call at 11:00 that Monday.

She walked the owner through the patient-letter content requirements line by line. The Office of the Privacy Commissioner of Canada’s guidance for breach notifications is routinely used by Canadian privacy lawyers as the floor for PHIPA letter content as well.

OPC lists six required elements: a description of the breach circumstances, the date or period of the breach, the type of personal health information involved, the steps the organisation has taken to reduce harm risk, the steps individuals can take to reduce their own risk, and contact information for further questions (OPC Canada, Privacy Breach Response Guidance, 2018).

• Breach circumstances and what is known about how it happened.
• The date or period over which the breach occurred.
• The type of personal health information affected.
• Steps the clinic has taken to reduce the risk of harm.
• Steps the patient can take (e.g. credit monitoring registration).
• Clinic contact information for further questions.

The hardest single drafting decision in the patient letter is whether to say the attacker exfiltrated data or only encrypted it.

Counsel asked me at 11:14 whether I could state with confidence that no PHI had left the building. I told her no. I could state that the attacker had appliance-level access to the fax modem for three weeks, and that the EMR shared drive had been mounted SMB-readable from that appliance the previous Friday night for 47 minutes.

Counsel made the call to draft the letter on the assumption of exfiltration. That was the correct legal call and it was a hard one.

---

For the CPSO College call, the clinic owner’s instinct was to delay until he knew more. I pushed back.

CPSO’s record-keeping policy treats record availability as a continuing duty (CPSO, Medical Records Documentation). A multi-day EMR outage interrupts that duty.

Calling CPSO inside week one and saying “here is what happened, here is what we are doing, here is when we expect records to be restored” is structurally different from CPSO learning about a six-day clinic closure from a patient complaint in week three.

The first conversation goes into a member-services intake. The second goes into a complaints intake, which is a different process with different outcomes.

The Canadian Medical Protective Association call was the easiest of the five. CMPA member services treats cyber incidents the same way they treat any other event with medico-legal exposure: they assign a file, they advise, and they do not bill against the hours.

Every physician partner at the clinic placed that call personally that afternoon. CMPA does not accept a managing partner’s call on behalf of the others (CMPA, Electronic Records Handbook).

For deeper reading on the 60-day patient letter mechanics, the IPC reporting threshold, and the exact statutory language under PHIPA s.12 and O. Reg. 329/04, see the PHIPA 60-day breach notification SOP for Ontario clinics. That spoke walks through the letter templates and the IPC online reporting form field-by-field.

We thought paying the ransom would be the fastest path back to seeing patients on Wednesday. Following the backup-first protocol felt slower in the moment, but we had every chart back, every prescription queue intact, and a clean letter to the IPC inside 48 hours. We never touched the bitcoin wallet.

Recovery Without Paying Ransom: The Backup-First Protocol

---

The clinic in this engagement had two pieces of luck. They had switched to a managed Veeam backup setup with daily immutable cloud copies six months earlier, after I had pushed on it during a Q3 review.

The attacker had encrypted but had not been able to delete or alter the cloud-side immutable copies. Immutability locks the API path that ransom payloads typically use to scrub backups before encrypting endpoints.

Internal benchmark across three Ontario clinic recoveries in 2025-26 in FC’s anonymized incident-response cohort shows the 72-hour ceiling holds when immutable backups, a clean recovery environment, and a named breach coach are all in place before day one. The 72-hour recovery ran in three overlapping tracks. Track one was the forensic image. We took bit-for-bit captures of the EMR server, the three locked workstations, and the fax appliance before any restore work began.

The captures went to an external drive that lived in a fireproof box. A copy went to the clinic’s privacy counsel under privilege.

Track two was the clean rebuild. We provisioned a new EMR host inside the clinic’s Azure tenant, restored the previous Friday’s immutable snapshot, applied the EMR vendor’s latest patches, and rotated every credential in the directory.

Track three was the attack-vector remediation. The fax appliance was replaced with a cloud fax service that did not run a public-internet listener. The flat clinic network was segmented into three VLANs: clinical, administrative, and guest.

• Track 1. Forensic image. Bit-for-bit captures to external drive in fireproof box. Copy to privacy counsel under privilege.
• Track 2. Clean rebuild inside the clinic’s Azure tenant from immutable snapshot. Every credential rotated.
• Track 3. Attack-vector remediation. Fax appliance retired. Flat network segmented into three VLANs.

By Thursday morning at 11:00, the EMR was live for the four physicians. Clinical care resumed at full schedule by Friday morning.

The clinic ran on paper from 7:30 Monday to noon Thursday: roughly 76 hours of clinical downtime. The 11-to-21-day Canadian healthcare-ransomware median I cited above came from CCCS-tracked incident data for 2023 and 2024 and from anecdotal reporting from peer MSPs serving Ontario healthcare.

The 72-hour recovery is achievable. It is not the median.

---

The ransom itself was 1.8 BTC. The clinic did not pay.

The forensic image proved within ten days that while the attacker had appliance-level network access for three weeks, the EMR-shared-drive read window had been 47 minutes and only retrieved the previous calendar day’s scheduling data, not the patient charts themselves.

The patient letter, drafted by counsel under that confirmed scope, went out under PHIPA s.12(2) within the 60-day window. It was substantively less alarming than the worst-case letter the clinic owner had spent Monday afternoon dreading.

The total engagement cost (FC time, forensic vendor, replacement hardware, counsel hours, cyber-insurer cost-share, lost clinical revenue) came in at approximately CA$187,000. The cyber policy covered roughly CA$124,000 of that. The clinic absorbed the rest.

For context, the IBM 2024 Cost of a Data Breach Report puts the average global healthcare breach at US$9.77 million; the gap is partly scale and partly Canada-versus-US notification cost.

The point is not that CA$63,000 of out-of-pocket exposure is small. The point is that without the immutable backups, the same incident would have cost the clinic an order of magnitude more.

Most of the additional cost would have been clinical revenue lost during the extended downtime, not the technical recovery itself.

The Clinic-Owner Conversations That Determine Outcome

From FC’s anonymized incident-response cohort, the partnership conversation is the one most often delayed by two days, and that two-day delay is the single largest driver of avoidable patient-letter scope creep. The partnership conversation went first. The clinic was structured as a Family Health Organization with four physician partners on the contract.

The FHO governance model meant that decisions about whether to pay the ransom, when to reopen, and how to scope the patient letter could not be a single-partner call.

The clinic owner convened a 30-minute working session on Monday at 4:00pm. The agenda was three decisions: who has signing authority for the next 72 hours; what we say to staff this evening; what we say to patients who call tomorrow.

• Conversation 1. Partners on ransom decision authority. FHO governance means this cannot be a single-partner call.
• Conversation 2. Office manager on the patient phone script. Short, factual, points at the eventual letter.
• Conversation 3. Insurer breach coach on scope. Clarifies what the policy covers before forensic costs accrue.
• Conversation 4. Top fifteen referring specialists on temporary fax workaround. Prevents the angry-phone-call cascade.

The patient-facing script question is the one most clinic owners get wrong. The instinct is to say nothing, or to over-apologise and over-explain. Both responses are mistakes.

The correct script is short, factual, and points at the eventual letter. Something close to: “We are experiencing a technical disruption that is affecting our scheduling system. Your appointment today is being rescheduled to [date]. If your visit is time-sensitive, please let me know and we will arrange same-day care. We will be writing to all our patients with full details inside the next several weeks.”

The clinic owner wrote that script with me on Monday afternoon. The office manager read it from a printed card for the next four days.

The referring-specialist conversation was less obvious and the most strategically important.

Family practices in Ontario sit inside a referral web that includes radiology, lab, specialists, pharmacy, home care, and the local hospital’s consult lines.

Each one of those touchpoints had been receiving electronic faxes from the clinic’s appliance, and each one was about to stop receiving them.

The clinic owner sent a one-line note to his top fifteen specialist partners on Monday afternoon: “Our fax system is down for a few days. Please call the clinic mainline for urgent communications. Routine referrals will resume by [date].”

That note prevented a cascade of confused phone calls and angry referring physicians for the rest of the week.

If your clinic has never written a patient-facing incident script, the time to write it is before you need it →

What Goes Into Your IRP to Make This Not a Panic

The clinic in this engagement had a one-paragraph IRP buried inside their privacy policy binder. It said the clinic would “respond appropriately to security incidents in accordance with applicable law.”

That is not an IRP. That is a sentence.

The replacement IRP we wrote in the six weeks after the incident is four printed pages and reads as a series of decisions made before they had to be made.

Page one is the first-hour checklist from earlier in this post, with phone numbers filled in: the MSP after-hours line, the cyber insurer’s 24/7 breach hotline, the CCCS incident reporting line, the privacy counsel’s mobile, the CMPA member-services line, and the clinic’s landlord (because the dental clinic next door needed to be in the loop).

Page two is the regulator-clock matrix: patients (PHIPA s.12(2), 60 days), IPC (O. Reg. 329/04 s.6.3, as soon as feasible), CPSO (where care is affected, inside week one), CMPA (each physician personally, within 48 hours), and insurer (per the policy, usually 24 to 72 hours).

Page three is the patient-facing script and the staff communication template. Page four is the annual tabletop-exercise log: date, scenario rehearsed, gaps identified, fixes assigned.

• Page 1. First-hour checklist with phone numbers filled in (MSP, insurer hotline, CCCS, counsel, CMPA, landlord).
• Page 2. Five regulator clocks: patients 60 days, IPC as soon as feasible, CPSO week one, CMPA 48 hours, insurer 24-72 hours.
• Page 3. Patient-facing phone script and staff communication template.
• Page 4. Annual tabletop-exercise log: date, scenario, gaps, fixes assigned.

The single highest-impact item on page four is the tabletop exercise itself. A two-hour drill, run with the office manager, the four physicians, and the MSP, against a written scenario (“it is 7am Monday and three workstations are showing ransom notes”) surfaces 80% of the IRP gaps before they cost anything.

I run these drills with FC’s healthcare clients on an annual cycle. They cost less than one billable physician half-day. They are the single most useful artefact a clinic owner can offer a cyber insurer at renewal.

For the broader hardening checklist that sits underneath the IRP (EMR access controls, OHIP billing data segmentation, MFA enforcement, immutable backup verification, fax-appliance retirement, and the like), the right reading is the OHIP billing data security clinic owner’s checklist.

The IRP is what you do when the safeguards fail. The hardening checklist is how you make them fail less often.

I want to close on what the clinic owner said to me three weeks after the incident, when we were sitting in his office reviewing the final forensic report.

He said the difference between Monday morning and Thursday morning was the written sequence of conversations to run, and the written sequence of regulator clocks to satisfy. The work of building both had been done before he ever needed them.

That is what an IRP is. It is the work that has already been done.

Bottom Line

Bottom line. A 4-physician FHO clinic in Ontario can survive a ransomware event without paying ransom, without losing patient charts, and without a public regulator action.

The path through requires five things in place before the morning the encryption hits. Immutable offline backups verified inside the last 90 days. A written IRP tested inside the last 12 months. A named IT incident contact with after-hours coverage.

A cyber-insurance policy with a 24/7 breach hotline and the declarations page printed and physically accessible. And a clinic owner who has already run the partnership conversation about ransom-decision authority.

None of the five are expensive. All of them are decided before the moment they are needed. Most clinic owners reading this have fewer than three of the five in place.

The right week to fix that is the one before the text message arrives at 7:04 on a Monday.

Fusion Computing helps Ontario family clinics build the operational half of the full healthcare AI clinical-practice guide: incident response, EMR security, OHIP-billing hardening, PHIPA-aligned backup architecture, and the annual tabletop drill. We co-cite work with privacy counsel and we do not write regulatory briefs ourselves. For the parallel non-clinical PIPEDA picture, see our PIPEDA compliance guide for Canadian small business.

Get in Touch

FAQ

Does a ransomware event in an Ontario clinic always require IPC notification?

For a multi-physician clinic with an EMR-wide encryption event it almost always does. Ontario Regulation 329/04 section 6.3 sets the IPC notification trigger where prescribed conditions are met, including where the breach is significant in nature, scope, or sensitivity. Counsel typically advises notification where exfiltration cannot be ruled out within the first week of forensic review.

What is the PHIPA 60-day notification deadline?

Under PHIPA section 12(2) a Health Information Custodian must notify each affected individual at the first reasonable opportunity. In practice, Ontario clinics and their counsel work to a 60-day window from the date the breach is identified. The clock runs from when the custodian knew or, where a reasonable person in the custodian’s position should have known, the breach occurred.

Should I power off a workstation that is showing a ransom note?

The Canadian Centre for Cyber Security guidance is explicit: isolate the device from the network by disconnecting cables and disabling Wi-Fi, and do not power it down. Powering down destroys memory-resident forensic evidence including encryption keys and attacker artefacts that can be essential to determining whether data was exfiltrated.

Do I have to call the CPSO if my clinic is hit by ransomware?

If the incident interrupts patient care or affects the availability of medical records, calling CPSO inside week one is strongly advised. CPSO’s Medical Records Documentation policy treats record availability as a continuing duty. A proactive member-services call is structurally different from CPSO learning about a multi-day clinic closure through a patient complaint several weeks later.

Should I pay the ransom?

Canadian Centre for Cyber Security and RCMP guidance both recommend against ransom payment. Payment does not guarantee key recovery, does not stop a double-extortion data leak, may trigger sanctions exposure if the operator is on a listed entity, and signals to other operators that the clinic will pay again. With immutable offline backups verified inside 90 days, full clinical recovery without payment is typically achievable inside 72 hours.

How much does a 4-physician clinic ransomware incident actually cost?

In the engagement described in this post the all-in cost was approximately CA$187,000, of which roughly CA$124,000 was covered by the clinic’s cyber insurance policy. The clinic absorbed roughly CA$63,000 out of pocket. Costs without immutable offline backups typically run an order of magnitude higher, driven mostly by extended clinical downtime and lost revenue during an 11-to-21-day recovery rather than a 72-hour one.

What is the cyber insurer notification clock?

Most Canadian cyber-liability policies for small healthcare practices require notification of a suspected incident inside 24 to 72 hours of the clinic owner becoming aware. Standard policies issued by Coalition, At-Bay, Beazley, and Chubb in 2025 and 2026 all sit in that window. The policy declarations page contains the breach hotline number; clinic owners should keep a printed copy accessible outside of email.

What is the single most useful thing a clinic owner can do this week?

Print the cyber-insurance policy declarations page and the first-hour checklist, tape both inside the supply-closet door, and book a 90-minute tabletop exercise with the MSP, the office manager, and the physician partners inside the next 60 days. Tested in the last 12 months is the standard most cyber insurers now write into renewal questionnaires, and most clinic owners do not meet it.

Further reading and primary sources

• Personal Health Information Protection Act, 2004 (PHIPA). the governing statute for all Ontario custodians of personal health information.
• Ontario Medical Association practice resources. practical guidance and contract templates for Ontario physicians and clinic owners.
• Infection Prevention and Control Canada (IPAC). clinic operations standards that intersect with privacy-grade physical safeguards.
• CMPA advice publications. member-only and public advisories on technology, AI, and clinical record-keeping.
• Health Canada services portal. federal SaMD licensing, drug, and device regulation that may touch clinical AI tooling.