Meridian Health Group — Ransomware contained in four hours

At 02:14 on a Tuesday, Meridian's on-call clinician found patient-records access locked behind a ransom note. Encryption was spreading across shared drives, and the systems that clinicians rely on for medication histories and scheduling were going dark across multiple sites.

In healthcare the stakes are immediate and human: every hour of downtime means delayed treatment and cancelled appointments, and a confirmed breach of patient data carries severe regulatory consequences. Meridian's small internal IT team had never faced an attack of this scale.

They needed professional containment immediately — someone to stop the spread, preserve forensic evidence, and bring clinical systems back without paying the ransom or losing patient records.

Korur's incident-response team engaged within minutes of the call. We isolated affected segments from the network to halt the encryption's spread, identified the initial access vector — a compromised remote-access account — and revoked it before the attacker could re-enter.

Working from clean, verified backups, we rebuilt the clinical systems in priority order so the highest-impact services came back first. Every step was logged and evidence preserved, both to support the regulatory notification and to rule out silent data exfiltration.

Once systems were stable we hardened the environment: enforced multi-factor authentication on all remote access, segmented the clinical network, and stood up monitoring so a repeat attempt would be caught in seconds rather than hours.