In our latest webinar, we conducted a Red Team/Blue Team post-mortem on a real ransomware attack that occurred last year at Frederick Health Medical Group in Maryland. The system has more than 4,000 clinicians and staff across 25 locations.
The Frederick Health attack exposed more than 900,000 patient records and hampered operations for a number of weeks:
Breach Timeline
- January 27, 2025 – Frederick’s IT team detected unusual network activity, prompting an immediate emergency shutdown of critical systems to contain the threat.
- January 28 – Frederick activated downtime procedures, including paper-based record-keeping for patient care.
- February 6 – Cybersecurity experts confirmed that ransomware was the cause of the disruption. Law enforcement agencies, including the FBI, were notified to assist with the investigation.
- March 28 – Patients were notified of the breach, and the incident was reported to HHS.
Here are some of the lessons learned from the Frederick breach from the perspective of both our Red Team (which goes on offense to simulate real-world attacks) and Blue Team (the defensive unit that tries to detect and prevent those incursions).
Stage 1: Preparation
What drills or defenses could have made the biggest difference prior to the attack?
Red Team – Preparation is a readiness discipline, not just a compliance checkbox. Regular penetration testing and tabletop exercises are essential to readiness.
Blue Team – Readiness requires visibility and an understanding of your weaknesses. Aligning security, IT and operations before an incident is paramount.
In the first hours of this attack, vulnerability testing and network segmentation could have slowed the attacker’s lateral movement and improved decision-making.
Stage 2: Detection & Containment
How can you confirm “unusual activity”?
Red Team – Move fast if your firewall keeps getting password-sprayed. Take decisive action before the breach.
Blue Team – Relying on antivirus instead of behavioral EDR puts your organization at a great disadvantage. Current EDR offers real-time telemetry and identity monitoring, plus the ability to check every device before encryption spreads.
Asset mapping and layered detection tools can quickly pinpoint infected systems without interrupting patient-critical applications.
Stage 3: Eradication & Recovery
What’s your first step once ransomware is confirmed?
Red Team – Make an initial assessment: which departments are down, where backups live, and who has authority to make the next call. Establish a command center, activate your incident response playbook, and contact your key partners.
Blue Team – It’s a mistake to act too fast. Don’t immediately shut everything down or re-image without preserving evidence. Even under great pressure, recovery needs to be measured and methodical.
Having an up-to-date incident response plan (stored in a mobile-accessible platform) helps guide decision-making and preserve forensic data.
Stage 4: Notification & Lessons Learned
Why does it often take several months to notify patients?
Red Team – Healthcare organizations can’t notify until they know which records were exposed. That requires validation of every name and every file. Frederick Health was able to notify in two months, faster than in most ransomware incidents.
Blue Team – Haste in notifying patients can backfire. You only get one chance to tell your story to the patient base and community.
Pre-approved notification templates and legal coordination workflows can help organizations significantly shorten the detection-to-notification timeline.
Let Breach Lessons Inform Your Readiness
Peer experiences like the Frederick Health attack are no longer cautionary tales – they are readiness accelerators.
Our new webinar reveals that preparation doesn’t eliminate incidents, but it dramatically changes outcomes. Asset visibility, rehearsed response plans, clear authority, and trusted partners all determine whether a breach becomes a prolonged crisis or a controlled disruption.
