Ransomware took two offices offline. Recovery took eleven minutes.
Dr. Lillian Park
Chief Clinical Officer · BrightSmile Group · Published
Two of our offices went dark at 2:14 AM. By the time the on-call manager called, the attacker had already encrypted the local servers at both locations — patient charts, imaging, the schedule for the day. The kind of morning that ends practices.
It didn't end ours.
What actually happened
Because every workstation and server was protected by immutable, write-once recovery points, the ransomware couldn't touch our history. The encrypted machines were a problem for the local hardware — not for our data.
Our MSP partner saw the alert before we did. They isolated the affected sites, spun up clean restores from the most recent verified copy, and re-pointed the practice-management system. We watched the recovery clock tick.
Eleven minutes. Two locations. Zero patient records lost.
Why it worked
Three things made the difference, and none of them were luck:
- Immutable backups. A recovery point that can't be altered or deleted is the only kind that survives an attacker who already has admin.
- A tested recovery path. Mara had run a full recovery drill at 3:00 AM the night before. We weren't restoring for the first time during a crisis.
- MSP-managed operations. Nobody on my clinical team had to become an incident responder at 2 AM. That's the whole point of the managed model.
The first patient walked in at 7:50 AM. They never knew anything had happened. That's the bar.
Protect every location.
See how DDSArk recovers your fleet in minutes.