# Preparation Changes Outcomes In Ransomware Attacks

In our latest [webinar](/content/cybersecurity-webinars/ransomware-reality/index.html), we conducted a Red Team/Blue Team post-mortem on a real ransomware attack that occurred last year at Frederick Health Medical Group in Maryland. The system has more than 4,000 clinicians and staff across 25 locations.

The Frederick Health attack exposed more than 900,000 patient records and hampered operations for a number of weeks:

**Breach Timeline**

- January 27, 2025 – Frederick’s IT team detected unusual network activity, prompting an immediate emergency shutdown of critical systems to contain the threat.
- January 28 – Frederick activated downtime procedures, including paper-based record-keeping for patient care.
- February 6 – Cybersecurity experts confirmed that ransomware was the cause of the disruption. Law enforcement agencies, including the FBI, were notified to assist with the investigation.
- March 28 – Patients were notified of the breach, and the incident was reported to HHS.

Here are some of the lessons learned from the Frederick breach from the perspective of both our Red Team (which goes on offense to simulate real-world attacks) and Blue Team (the defensive unit that tries to detect and prevent those incursions).

**Stage 1: Preparation**

_What drills or defenses could have made the biggest difference prior to the attack?_

_Red Team_ – Preparation is a readiness discipline, not just a compliance checkbox. Regular penetration testing and tabletop exercises are essential to readiness.

_Blue Team_– Readiness requires visibility and an understanding of your weaknesses. Aligning security, IT and operations _before_ an incident is paramount.

In the first hours of this attack, vulnerability testing and network segmentation could have slowed the attacker’s lateral movement and improved decision-making.

**Stage 2: Detection & Containment**

_How can you confirm “unusual activity”?_

_Red Team_ – Move fast if your firewall keeps getting password-sprayed. Take decisive action _before_ the breach.

_Blue Team_ – Relying on antivirus instead of behavioral EDR puts your organization at a great disadvantage. Current EDR offers real-time telemetry and identity monitoring, plus the ability to check every device before encryption spreads.

Asset mapping and layered detection tools can quickly pinpoint infected systems without interrupting patient-critical applications.

**Stage 3: Eradication & Recovery**

_What’s your first step once ransomware is confirmed?_

_Red Team_ – Make an initial assessment: which departments are down, where backups live, and who has authority to make the next call. Establish a command center, activate your incident response playbook, and contact your key partners.

_Blue Team_ – It’s a mistake to act too fast. Don’t immediately shut everything down or re-image without preserving evidence. Even under great pressure, recovery needs to be measured and methodical.

Having an up-to-date incident response plan (stored in a mobile-accessible platform) helps guide decision-making and preserve forensic data.

**Stage 4: Notification & Lessons Learned**

_Why does it often take several months to notify patients?_

_Red Team_ – Healthcare organizations can’t notify until they know which records were exposed. That requires validation of every name and every file. Frederick Health was able to notify in two months, faster than in most ransomware incidents.

_Blue Team_ – Haste in notifying patients can backfire. You only get one chance to tell your story to the patient base and community.

Pre-approved notification templates and legal coordination workflows can help organizations significantly shorten the detection-to-notification timeline.

**Let Breach Lessons Inform Your Readiness**

Peer experiences like the Frederick Health attack are no longer cautionary tales – they are readiness accelerators.

Our new [webinar](/content/cybersecurity-webinars/ransomware-reality/index.html) reveals that preparation doesn’t eliminate incidents, but it dramatically changes outcomes. Asset visibility, rehearsed response plans, clear authority, and trusted partners all determine whether a breach becomes a prolonged crisis or a controlled disruption.
