Alert: Our database will undergo scheduled maintenance and logging in will be unavailable April 25, 6:00–10:00 pm CT. Thank you for your patience as we improve our services.
Unsupported Browser
The American College of Surgeons website is not compatible with Internet Explorer 11, IE 11. For the best experience please update your browser.
Close
Member ID
Become a Member
Open Search
Menu
ACS Home
My Dashboard
Donate to ACS Foundation
About Us
Advocacy & Policy
Quality Programs
For Surgeons
For Patients
Become a member and receive career-enhancing benefits

Our top priority is providing value to members. Your Member Services team is here to ensure you maximize your ACS member benefits, participate in College activities, and engage with your ACS colleagues. It's all here.

Become a Member
ACS Home
My Dashboard
Donate to ACS Foundation
Quality Programs
For Surgeons
For Patients
Advocacy & Policy
About Us
Become a member and receive career-enhancing benefits

Our top priority is providing value to members. Your Member Services team is here to ensure you maximize your ACS member benefits, participate in College activities, and engage with your ACS colleagues. It's all here.

Become a Member
Popular searches
Frequent searches
ACS
A Look at The Joint Commission

Disastrous Consequences Result from Medical Billing Cyberattack on Small Practice

Lenworth M. Jacobs Jr., MD, MPH, FACS

April 9, 2025

It is hard work to complete medical school, a residency, a fellowship, and then begin the early years of a practice.

It is even more challenging to manage the growing patient volume and acquire new partners.

Managing a large office practice can be an escalating obstacle for busy physicians. But after several years of putting in the hard work, the partners are typically able to relax to a certain
degree as their dream of a successful practice becomes a reality.

All it takes is one disruption—one seismic shock—to threaten everything that has developed over decades. This kind of disruptive event is often a cyberattack, one that specifically interrupts the billing process.

A billing-related hack was experienced by a small surgery practice in February 2024, when cyber criminals unleashed a ransomware attack on the medical billing company used by the practice. 

We all know the process. The billing company gets the billing codes from the physician and converts them into claims, which are then sent to the insurance company that approves the claims and pays the medical practice.

As a result of this cyberattack, no invoices were processed by the billing company. Very quickly, the surgery practice’s income stream went dry and came to a complete stop.

It became clear that a loan would have to be secured to pay the salaries of the staff and the expenses of managing the practice. But who would provide this six- or seven-figure loan? How would it be secured? Who would be responsible for the interest? How long would it take for the billing company to restart the billing process, and how could it guarantee further attacks weren’t on the way? How long would the physician partners in the medical practice be able to handle a dramatically reduced income—or none?

It took 3 months for the medical practice to secure a loan from the billing company. During that time, the physicians in the practice continued to see patients, perform procedures, generate notes in the chart, and provide professional service codes for the billing company. But no bills were being sent from the billing company to the insurance company. Therefore, no income was being generated to pay the office staff, partners, or mortgage on the facility.

If this situation reads like a nightmare scenario, that is because it is and, unfortunately, it is far more common than you might like to believe.

Since 2019, the US Department of Health and Human Services reported that data breaches from hacking and ransomware have increased by 89% and 102%, respectively. In 2024, 259 million US residents had some portion of their healthcare records stolen over the course of about 590 cyberattacks—190 million of which came from a single ransomware attack.

“These types of attacks cause significant delay and disruption to healthcare delivery, posing a very significant and real risk to patient safety and community safety,” said John Riggi, national advisor for cybersecurity and risk for the American Hospital Association (AHA).

In 2023, Riggi helped The Joint Commission develop “Sentinel Event Alert 67: Preserving patient safety after a cyberattack” to provide guidance and safety actions for healthcare organizations:

  • Evaluate hazards vulnerability analysis findings and prioritize hospital services that must be kept operational and safe for an extended downtime.
  • Form a downtime planning committee to develop preparedness actions and mitigations, with representation from all stakeholders.
  • Designate response teams.

The guidance also includes recommendations for smaller surgical practices:

  • Understand your dependency on technology and ensure you have the proper cybersecurity controls to prevent or detect a cyberattack when it occurs; plan for how to respond and recover. The Health Industry Cybersecurity Practices web page has free resources and guidance.
  • Find competent professional security companies to review and monitor your cybersecurity.
  • Know what to do if your third-party providers are hacked, including how that will disrupt your practice.
  • Set up immutable backups that cannot be accessed and encrypted by the hackers.

“The intent of all this is not to scare, but to help organizations be aware of the threat and help them prepare,” Riggi said.

Additionally, smaller practices that are hacked and cannot submit invoices to an insurance company should ask their billing company if it can provide a secured loan, as well as what the terms of that loan would be and who would be responsible for paying the interest on it.

Surgical practices should ensure their systems and software are regularly updated and patched to protect against known vulnerabilities, and staff should be provided with regular cybersecurity training so they can learn how to recognize phishing attempts, social engineering tactics, and other common threats.

These strategies are critical for physicians and surgeons, because even one misstep can lead to catastrophic results for their practice, disrupting the income stream and partners’ long-term dreams of having successful careers.

“Small practices are effectively small businesses and they are going to take a huge hit if they are offline for an extended period of time,” said Scott Gee, deputy national advisor for cybersecurity and risk for the AHA. “For a small business, the impact of a 30-day outage is incredible. A hospital with a lot of cash on hand or a much larger enterprise has a very hard time surviving that. But, for a small surgical practice, this is going to be devastating. So, having those contingencies and having a plan in advance is critical.”

Editor’s note: Additional information about cybersecurity is available in the article, “Surgeons Need to Engage in Battle against Cyberattacks,” found in this issue.

Disclaimer

The thoughts and opinions expressed in this column are solely those of Dr. Jacobs and do not necessarily reflect those of The Joint Commission or the American College of Surgeons.

Dr. Lenworth Jacobs Jr. is a professor of surgery at the University of Connecticut in Farmington and director of the Trauma Institute at Hartford Hospital, CT.