The following is a composite case study based on common patterns in ShieldForce-protected hospice agency incident responses. Details have been generalized.
The Agency
A regional hospice provider serving approximately 180 active patients across four counties. Fifty-two staff members including nurses, social workers, chaplains, aides, and administrative staff. EHR: Netsmart myUnity. Email: Microsoft 365. No dedicated IT staff — a part-time IT consultant who handled routine support.
The agency had engaged ShieldForce eight months prior following a conversation at a regional hospice association meeting. Before ShieldForce, they had basic antivirus and a backup drive in the office. After onboarding, they had EDR on all endpoints, advanced email security, MFA enforced across M365, immutable cloud backups, 24/7 SOC monitoring, and a documented incident response plan.
The Attack
At 11:23pm on a Friday, ShieldForce's SOC detected anomalous process behavior on a Windows workstation in the agency's billing office. A process was attempting to enumerate network shares — a classic lateral movement behavior that precedes ransomware deployment.
The alert fired to the on-call SOC analyst. The analyst reviewed the telemetry: the process had been initiated from a user account that had logged in at 9:47pm via a credential that matched the billing manager's account. The billing manager was not scheduled to work Friday night.
At 11:31pm, the SOC analyst initiated containment: the affected workstation was isolated from the network. The billing manager's account was suspended. A second workstation in the billing office that the attacker had already accessed was also isolated.
At 11:39pm — sixteen minutes after the initial alert — the SOC analyst called the agency's designated incident contact: the Executive Director.
The First Hour
The Executive Director, woken by the call, followed the incident response plan. She called the agency's legal counsel (a healthcare privacy attorney whose number was in the plan). She notified the board chair. She confirmed that clinical operations — the nurses on call, the care coordination system — were unaffected: the two isolated workstations were billing machines with no direct access to the clinical EHR.
The SOC continued investigation: the attacker had gained access through a phishing email that had targeted the billing manager approximately eleven days prior. The email had captured the billing manager's Microsoft 365 credentials. The attacker had been monitoring the email account for eleven days, reading billing communications and mapping the network.
The ransomware payload — identified as a variant associated with the Akira group — had been staged on the two billing workstations but had not yet deployed. The SOC's detection and containment had occurred in the reconnaissance and pre-deployment phase.
No patient data was encrypted. No clinical systems were affected. No ransom was demanded because the attack had not reached the deployment stage.
The Recovery
The two isolated workstations were wiped and rebuilt from clean images over the following weekend. All Microsoft 365 accounts were forced to re-authenticate, invalidating the attacker's session token. MFA was confirmed active on all accounts.
The billing manager's phished credentials were the entry point. The root cause: a phishing email that had evaded the basic spam filter in place before ShieldForce's advanced email security was fully deployed. The agency had transitioned email security as part of the ShieldForce onboarding; the phishing email had arrived during the one-week transition window.
A targeted phishing simulation for billing staff was added to the training program.
The Outcome
Patient care: Unaffected. No clinical systems were compromised. No care was disrupted.
Patient data: No breach. The forensic analysis confirmed no data exfiltration from the two affected workstations prior to containment.
Ransom paid: $0.
Recovery time: Two workstations rebuilt over a weekend. Full operations restored by Monday morning.
Regulatory exposure: Because no breach occurred and no patient data was compromised, no OCR notification was required. The incident was documented in the agency's security records as a contained incident.
Cost: ShieldForce's monthly fee. The forensic analysis and incident response were included in the managed service agreement.
What Made the Difference
Three controls determined the outcome:
24/7 SOC monitoring detected the attack at 11:23pm on a Friday. Without it, the billing manager's account would have continued to be monitored by the attacker. The ransomware would have deployed during the weekend when no one was in the office.
Behavioral EDR identified lateral movement. The attacker's process enumeration was detected not because it matched a known malware signature but because the behavior was anomalous — a user account performing network share enumeration at 11pm from a process that had no legitimate reason to do so.
The incident response plan was ready. The Executive Director knew exactly who to call and what to do. The plan had been reviewed and rehearsed. There was no improvisation at midnight.
This outcome is available to your hospice agency. The controls that made the difference — 24/7 SOC, behavioral EDR, and a tested incident response plan — are what ShieldForce delivers for every hospice client.
Explore Hospice Cybersecurity Solutions →
Start with a free assessment to see where your agency stands.