HBO’s The Pitt Showed It. Real Hospitals Are Living It.

What Happened on HBO’s The Pitt

To understand Episode 8, you have to go back to Episode 7. A ransomware attack hits hospitals across the Pittsburgh area, and the CEO of Pittsburgh Trauma Medical Center faces a decision most hospital leaders hope they never have to make regarding vulnerable endpoints. Rather than wait to see if their own systems would be next, he pulls the plug first. Everything goes offline, on purpose, before the attack can spread.

It is a preemptive call, and it is the right one. But as Episode 8 shows, doing the right thing does not make it easy.

One detail from the episode stood out to anyone who has ever worked through a real hospital downtime: A staff member tells the team to use ballpoint pens because felt-tip does not press through carbon copies. That is not a line someone Googled. That is the kind of thing you only know if you have actually been through it.

The show earned real praise from experts for how accurately it portrayed a hospital in crisis mode. Their one critique? In the episode, the staff makes it through in a single brutal shift. In reality, outages like this last weeks. Sometimes months.

The Same Day. A Real Hospital. A Real Attack.

On the same day Episode 7 aired, the University of Mississippi Medical Center, a major health network spanning 35 clinics, was hit by a ransomware attack that took down its patient records system, phone lines, and IT infrastructure. Epic, the software that most large health systems use to manage everything from patient records to scheduling to prescriptions, went offline. In response, UMMC made the same call as the fictional hospital on screen: take everything down until it can be confirmed safe.

All 35 outpatient clinics closed. Elective procedures, surgeries, and scheduled appointments were cancelled. The hospitals and emergency departments stayed open, but staff were working entirely on paper. Vice Chancellor Dr. LouAnn Woodward addressed the public directly: “Some of us in the room have been here long enough that we remember taking care of patients with pen and paper.”

The FBI, the Department of Homeland Security, and the Cybersecurity and Infrastructure Security Agency all launched investigations. Patients flooded already overwhelmed phone lines, many confused and worried about their care.

When Dr. Christian Dameff, co-director of the University of San Diego’s Center for Healthcare Cybersecurity, was asked how long recovery would take, he did not mince words. “The trend with these types of attacks the last four or five years, to last weeks to months is not uncommon,” he said.

UMMC is not an outlier. It is, unfortunately, the latest name on a very long list.

Real-Life Healthcare Ransomware Stories

Change Healthcare, February 2024

One Attack. One-Third of America.

If there is a single story that defines the catastrophic potential of a healthcare sector cyberattack, it is Change Healthcare.

In February 2024, the Russian ransomware group ALPHV/BlackCat targeted Change Healthcare, a company that quietly processes nearly one in three healthcare transactions in the United States. Think of it as the behind-the-scenes engine powering prescriptions, insurance claims, and patient verifications across the country. Most people had never heard of it. They felt it the moment it went down.

Pharmacies went dark. Hospitals could not submit claims. Patients could not fill prescriptions. The American Hospital Association warned that providers were at risk of closing their doors simply because they could not get paid for the care they were already delivering.

Change Healthcare paid approximately $22 million in ransom and got almost nothing in return. The hackers took the money, kept the data, and a second criminal group immediately tried to extort them again. By the time the dust settled, 192.7 million people had their personal health data exposed. Total costs ran to $3.09 billion and counting.

The lesson here is not just about one company getting hacked. It is about what happens when a single vendor that touches everything goes down. Your organization does not have to be the target to become the victim.

Ascension Health, May 2024

Over a Billion Dollars in Damage

Ascension is one of the largest nonprofit health systems in the country. On May 8, 2024, a ransomware group known as Black Basta attacked Ascension, forcing staff across its sprawling multi-state network to abandon their computers and fall back entirely on paper. It took over five weeks to restore access to electronic health records.

This was not fiction. 5.6 million patients had their sensitive personal and medical data exposed. When Ascension released its year-end financial report, the organization disclosed a $1.8 billion operating loss, with the ransomware attack cited as a major contributing factor.

Universal Health Services, September 2020

400 Hospitals. One Attack.

When a particularly destructive strain of ransomware known as Ryuk hit Universal Health Services, a chain of 400 hospitals and healthcare facilities, the fallout was swift. Hospitals went to paper. Staff were rerouted. Patients were diverted. Emergency care was thrown into chaos across multiple states. It took three weeks to restore access to electronic health records.

The final bill came to $67 million in direct losses. That was back in 2020. The cost of these attacks has only gone up since.

Scripps Health, May 2021

Four Weeks in the Dark

A ransomware attack against Scripps Health in San Diego knocked out its patient records system for four full weeks. Four weeks of paper records, manual processes, and disrupted care, at a cost of at least $112.7 million in lost revenue and recovery expenses.

Four weeks. How would your organization hold up without its core systems for a month?

University Hospital Düsseldorf, Germany, September 2020

The Case That Changed Everything

This is the story no one in healthcare should ever forget.

On September 10, 2020, a ransomware attack shut down University Hospital Düsseldorf in Germany after hackers exploited a known vulnerability in the hospital’s software, corrupting 30 servers in the process. That same night, a 78-year-old woman suffering from an aortic aneurysm arrived needing emergency treatment. The hospital could not take her. She was diverted to Helios University Hospital in Wuppertal, 32 kilometers away. The delay was approximately one hour.

She died shortly after arriving.

Prosecutors investigated whether the hackers could be charged with negligent homicide, one of the first times a ransomware malware attack had ever been considered in connection with a patient death. After a detailed investigation that included an autopsy and a minute-by-minute review of events, they concluded that her condition had been so severe she likely would not have survived regardless. The charges were dropped.

But the message was impossible to ignore. Chief prosecutor Markus Hartmann said plainly that in cases where a patient’s condition is slightly less critical, a ransomware-caused delay could absolutely be the decisive factor. The law just had not caught up yet.

In a strange twist, when police informed the hackers that they had hit a hospital rather than the university they intended to target, the attackers handed over the decryption key voluntarily and made no further attempts to extort money. But the damage was already done. The hour was already lost.

How to Keep Your Organization Standing When an Attack Hits

Here is the good news: most successful ransomware attacks exploit vulnerabilities that could have been prevented. The gap between a prepared organization and an unprepared one is enormous. Here is where to start implementing best practices.

1. Turn On Multi-Factor Authentication Everywhere

Multi-factor authentication, or MFA, means that logging in requires more than just a password. Think of it like needing both a key and a code to open a door. A stolen password alone should not be enough to bring your organization down. This is especially important for anyone accessing systems remotely or with administrative access. It is one of the simplest, most effective protections available and still widely underused.

2. Keep Backups That Cannot Be Touched

Ransomware works by locking you out of your own data. If your backups live on the same network, they get locked out too. Keeping backups stored offline or in a separate, protected environment means that healthcare providers always have something to fall back on. Just as importantly, test those backups regularly. A backup you have never actually restored is one you cannot count on when it matters most.

3. Build Walls Inside Your Network

Not every system in your organization needs to be connected to every other one. Dividing your network into separate sections means that if one area gets hit, the attack cannot freely spread to everything else. Think of it like the watertight compartments on a ship. One section floods, the rest holds. It is the same principle behind the fictional hospital’s decision to take everything offline at once.

4. Know Who You Are Connected To

Change Healthcare is the clearest example of why this matters. Your organization’s security is only as strong as the vendors and partners you are connected to, especially when considering risks such as social engineering attacks. Audit those relationships. Ask whether your vendors have their own security plans, and ask what happens to your operations if one of them goes dark tomorrow.

5. Practice for the Day You Hope Never Comes

The staff in The Pitt knew to use ballpoint pens on carbon copies because someone had prepared them for exactly that scenario. Does your team know what to do if your systems go down? Are paper forms ready to go? Is there a communication plan that does not rely on technology? Running a downtime drill feels like overkill right up until the day it is not.

6. Watch for Trouble Before It Becomes a Crisis

Cybercriminals are often inside a system for weeks or even months before anyone notices their attack vectors. Having continuous monitoring in place means unusual activity gets flagged early. Pair that with a clear, pre-rehearsed plan for how to respond to an attack, and your team is not wasting critical time figuring out what to do when every minute counts.

7. Invest in Your People

Most breaches start with a human action: a clicked link in a convincing fake email, a password used across multiple accounts, an attachment that looked legitimate. Security awareness training is not a one-time box to check. It is an ongoing investment in the people who are both your biggest vulnerability and your strongest line of defense.