Brookside ENT & Hearing Center (Michigan) 

The Catastrophe 

In April 2019, the two-physician clinic’s systems were encrypted, wiping access to medical records, schedules, and billing. The practice announced it would close permanently rather than attempt recovery. The HIPAA JournalStar Tribune 

Fallout 

Reports note the demand was about $6,500; regardless, the clinic couldn’t restore records (including backups) and shut its doors for good. Compliancy Group 

Security Layer Failures Analysis 

• ❌ Layer 1: People — No phishing-resistant training; initial compromise succeeded. 

• ❌ Layer 2: Physical — Weak workstation/server access discipline; no segmented admin zones. 

• ❌ Layer 3: Cyber — Absent/ineffective EDR/MDR; backups also encrypted; no zero-trust. 

• ❌ Layer 4: Risk Management — No ransomware tabletop; no single-point-of-failure review. 

• ❌ Layer 5: Leadership — No CISO-level governance to enforce policy & recovery readiness. 

• ❌ Layer 6: Culture — Security treated as overhead, not clinical continuity. 

• ❌ Layer 7: Resilience — Backups weren’t isolated/immutable; recovery plan untested. 

ROI of Prevention 

Fractional CISO+ oversight, phishing-resistant training, EDR/MDR with isolation, and immutable, tested backups could have contained the blast radius and kept the clinic operating.