What would you do if a cyberattack happened to your practice?
In his presentation at the American Society of Ophthalmic Administrators program during the 2025 annual meeting of the American Society of Cataract and Refractive Surgery, "A Cyberattack? It Couldn’t Happen to Us! (Well... It Did, and Here’s What We’ve Learned)," Bill James, MHA, COE, shared that the Talley Eye Institute in Evansville, Indiana, was the victim of such an attack in April 2019. He also discussed the steps the practice took to get the data back, along with how they assessed if personal health information (PHI) had been compromised.
“Our practice was hacked with Gandcrab V5.2 ransomware by Russian hackers,” said Mr. James. “All servers and several workstations were involved and all affected files were encrypted with the extension .WNMYGNJIV," he explained. "EHR, email, and other files were also affected and all backups failed. Each affected folder had a .txt file, describing what needed to be done to recover our data” (Figure 1).
On Day 1
On the first day, Mr. James said Talley Eye Institute contacted their health law attorney and the FBI. “The FBI’s recommendation was that we not pay the hackers, but they understood if we made the decision to pay the ransom,” he said.
Next, the practice searched for companies that had experience with the decryption of files. “We felt more comfortable paying a reputable company that could decrypt instead of paying the hackers,” he explained.
Despite the ransomware attack, the practice continued to see patients. “Our retina staff pulled previous injections through the medication inventory system. Our anterior segment physicians are referral-based, and most patients were new patients,” Mr. James noted.
For follow-up patients and post-ops, the practice utilized prior OCTs, Optos images, visual fields, and other diagnostic testing for historical data. The practice also contacted the ASCs to get operative reports for post-op patients.
On Day 2
On the second day, Talley Eye Institute informed the staff of what had happened and what was being done to recover the data. “We also informed staff to tell the patients that our servers had crashed.”
The practice began the decryption process of data—this included all servers; and which affected PCs needed to be decrypted vs wiped and rebuilt.
Two Weeks Later…
Two weeks since the ransomware attack, Mr. James said that terabytes of data finally decrypted. The day-to-day operations were back to “normal”—data were entered from paper charts into the EHR into the system.
At this point, the practice needed to determine if PHI had been compromised.
What the Talley Eye Institute Learned
Six weeks after the ransomware attack, the practice learned that an old account that was no longer used had been compromised. “A brute force attack was launched on this account to gain access,” relayed Mr. James. “Malware was uploaded to our RDP server—16 executables were launched in a span of 20 minutes. The executables allowed the hacking of the administrator account. Ransomware was installed on devices, but PHI had not been compromised.”
According to Mr. James, the practice was required to report the ransomware attack to the US Department of Health and Human Services (HHS); the Office of Inspector General (OIG); State Attorneys General (AGs) (which included Indiana, Illinois, and Kentucky); the media; referring doctors; and patients.
Talley Eye Institute sent a letter detailing events of the attack to their patients, letting them know what information was involved, the steps patients could take to protect themselves, and the contact information for the practice if they have questions.
Mr. James said the practice worked with an attorney to provide the information that was needed for the HHS and AG reports. “This includeed HIPAA policies and procedures; password management policies; notice of privacy practices; previous Risk Assessments and Penetration Test Reports (how your practice has responded to these reports); a description of the incident; and what security steps have been taken since the attack.”
Expenses Incurred
According to Mr. James, the practice’s IT company acknowledged blame for the backup failure and did not charge the practice for their work. The practice paid the data recovery company $167,000, which included stronger antivirus protection from the recovery company, and email protection tools. In addition, a deep dive was taken to confirm that there was no exfiltration of data, which cost $20,000. Legal fees totaled $35,000.
“This was all covered and repaid through our cybersecurity insurance policy and no fines or penalties were assessed by the HHS/OIG and Attorneys General,” Mr. James explained.
New Policy and Procedure Changes
Mr. James said the improvements that Talley Eye Institute has implemented include backups done every hour—this includes all servers and PCs with crucial data; loaded to a local appliance and moved offsite; backup data is tested and encrypted; and air-gapped (with no connection between the backup and the practice’s network).
Mr. James said the practice will continue to obtain appropriate penetration tests, vulnerability tests, and risk assessments. “This includes discussing the results of these in board meetings; documenting the observations and recommendations in the board meeting minutes; and designating these items as fixed, working on, or known and acceptable risks,” he concluded. OM