Hospital IT security team monitoring healthcare systems for potential breach indicators

Business, Healthcare, IT CyberSecurity, SecurityJanuary 9, 2026

2025’s Biggest Healthcare Data Breaches: Lessons for 2026

Another Brutal Year for Patient Data

2025 did not break the record set by the Change Healthcare attack—that catastrophic breach affected 193 million people and remains the worst in healthcare history. But 605 healthcare breaches were still reported to HHS, affecting 44.3 million Americans.

The numbers tell a familiar story: healthcare remains one of the most targeted sectors, and the patterns of failure repeat year after year. Understanding what happened in 2025 is essential for organizations determined to avoid becoming 2026 statistics.

Take the 2-Minute Cybersecurity Assessment

The Biggest Breaches of 2025

Yale New Haven Health System: 5.56 Million Affected

Connecticut’s largest health system detected unusual activity on March 8, 2025. Hackers had breached the network and obtained sensitive data including names, contact information, demographic data, medical record numbers, and Social Security numbers. The electronic medical records system was not accessed, but the breach affected 5.56 million patients.

Episource: 5.42 Million Affected

This IT vendor providing risk adjustment and medical coding services to health plans suffered a ransomware attack in February 2025. When a vendor with access to multiple health systems gets breached, the impact cascades across their entire client base.

Blue Shield of California: 4.7 Million Affected

This breach was different—it was not a hack but a configuration error. Google Analytics had been improperly configured in a way that could have allowed Google Ads to deliver ad campaigns back to impacted members. Blue Shield severed the connection in January 2024 but notified members throughout 2025.

McLaren Health Care: 743,131 Affected

Michigan’s McLaren Health Care suffered its second ransomware attack in two years. The Inc Ransom group claimed responsibility. Attackers had access between July 17 and August 3, 2024, but the breach was not fully understood until May 2025. Being hit twice in two years illustrates that recovery without fundamental security improvements just sets up the next attack.

Covenant Health: 478,188 Affected

The Qilin ransomware group struck this Catholic healthcare organization in May 2025, claiming to have stolen 850 GB of data. Hospitals in Maine, New Hampshire, and Massachusetts experienced system shutdowns. Wait times increased and some services were only available with paper orders.

The Patterns That Keep Repeating

Third-Party Vendor Risk

The Episource and Conduent breaches demonstrate that healthcare security extends far beyond hospital walls. When billing companies, IT vendors, and business associates get breached, patient data goes with them. Many healthcare organizations still lack visibility into their vendor ecosystem’s security practices.

Delayed Detection

McLaren’s attackers had access for over two weeks before detection. Many breaches take months to fully investigate. The time between intrusion and detection—dwell time—remains dangerously long in healthcare.

Repeat Targets

McLaren was hit twice in two years. Organizations that recover from ransomware without addressing fundamental security gaps become known as easy targets who will pay or suffer again.

What Experts Predict for 2026

Dave Bailey, vice president of security services at Clearwater, notes a clear shift from opportunistic attacks to highly coordinated, multi-stage operations. He predicts more disruptive attacks masquerading as traditional ransomware events, with attackers corrupting backups and damaging infrastructure to maximize pressure.

AI-enabled attacks that dramatically compress the time from initial access to impact are becoming more common. Healthcare organizations relying on manual processes will struggle to keep pace.

Take Our 2-Minute Security Assessment

centrexIT has protected San Diego healthcare organizations since 2002. If you’re not sure how your organization would fare against the attacks targeting healthcare, let’s find out together.

Take the 2-Minute Cybersecurity Assessment

Sources

HHS Office for Civil Rights Breach Portal—605 breaches, 44.3 million affected (December 2025)
HIPAA Journal: “Largest Healthcare Data Breaches of 2025” (January 2, 2026)
Chief Healthcare Executive: “These are the biggest health data breaches in the first half of 2025” (December 2025)
Bank Info Security: “2025 in Health Data Breaches and Predictions for 2026” (December 2025)
The Record: “Nearly 480,000 impacted by Covenant Health data breach” (January 2, 2026)

Business, IT CyberSecurity, SecurityJanuary 2, 2026

2025 Cybersecurity Year in Review: The Year Organizations Stopped Being Victims

2025 Cybersecurity Year in Review

The Year Organizations Stopped Being Victims and Started Fighting Back

2025 wasn’t just another year of rising cyber threats. It was the year the tide turned.

For the first time in the modern ransomware era, organizations stopped being easy targets. They invested in the fundamentals. They practiced their response plans. They tested their backups. And when attacks came, they recovered without funding criminals.

Here’s what actually happened in 2025—backed by real data from the industry’s most credible sources.

2025 By The Numbers

77%

Ransomware Victims Refused to Pay

23%

Payment Rate (Record Low)

↓35%

Total Ransom Payments (YoY)

$4.44M

Average Data Breach Cost

The Ransomware Reversal: 77% Said No

In Q3 2025, only 23% of ransomware victims paid the ransom—the lowest rate ever recorded. That means more than three out of four organizations recovered without funding the criminals who attacked them.

Ransomware Payment Rate Decline (2019-2025)

2019
2020
2021
2022
2023
2024
2025

85%

70%

55%

41%

37%

28%

23%

Source: Coveware Quarterly Ransomware Reports (2019-2025)

This dramatic decline represents a fundamental shift in how organizations approach ransomware. Instead of hoping they won’t be targeted, they’re preparing to survive when they are.

What Changed: Organizations finally invested in tested backups, 24/7 monitoring, and incident response plans they’d actually practiced. When ransomware hit, they recovered without paying.

Could Your Organization Survive Without Paying?

77% of organizations in 2025 recovered without funding criminals. Find out if you’re prepared to join them.

Take the 2-Minute Security Assessment →

No sales call required • Get results immediately • centrexIT has protected businesses since 2002

The Money Story: Payments Plummeted

Total ransomware payments dropped 35% year-over-year, falling from $1.1 billion in 2023 to $813 million in 2024. This happened despite attack volumes hitting all-time highs.

Total Global Ransomware Payments

2023

$1.1B

2024

$813M

↓35%

Year-over-Year Decline

Source: Chainalysis 2025 Crypto Crime Report

The criminals’ business model is breaking. More attacks, less money. Organizations are proving that preparation beats ransom payments.

How Attackers Got In: The Top Vectors

Understanding how breaches happen is the first step to preventing them. Here’s what the data revealed about 2025 attack patterns:

Primary Attack Vectors in 2025

Phishing
30%

30% of all breaches

Supply Chain/Third-Party
15%

2x from 2024

Stolen/Compromised Credentials
10%

10%

Exploited Vulnerabilities
8%

Critical Insight: The human element caused 68% of all data breaches in 2025. Training your people isn’t optional—it’s essential.

Source: Verizon 2025 Data Breach Investigations Report (DBIR), IBM 2025 Cost of a Data Breach Report

Industries Under Fire

Ransomware didn’t attack all industries equally. Some sectors bore the brunt of 2025’s onslaught:

Most Targeted Industries in 2025

Manufacturing
+61% attacks (YoY)

29% of all ransomware attacks

Finance & Insurance
$5.9M avg breach cost

Second-most expensive sector

Healthcare
$9.77M avg breach cost

Third-most targeted (costs down 10.6%)

Why Manufacturing?

Downtime equals lost revenue. Stopping a factory line even for a day can cost millions, so attackers bet that manufacturers will pay quickly. The convergence of IT and OT (operational technology) networks created new vulnerabilities attackers eagerly exploited.

Source: Check Point Research Q2 2024, IBM Cost of a Data Breach 2025, HIPAA Journal

The AI Revolution: Weapon and Shield

2025 marked the year AI became central to both attacks and defenses. The same technology empowering security teams also armed threat actors with unprecedented capabilities.

⚠️ AI-Powered Threats

Autonomous attacks: AI agents planning and executing breaches without human intervention
Deepfake attacks: 21-28% of security leaders feel least prepared for these
AI-vishing: Voice deepfakes targeting executives
Polymorphic malware: AI-guided code that reconfigures itself to evade detection

✓ AI-Powered Defenses

34% cost reduction: Organizations with security AI saved $1.9M per breach on average
Faster detection: AI-powered monitoring catches threats in hours instead of weeks
Automated response: Machine-speed containment and remediation
Behavioral analysis: AI identifies anomalies humans would miss

$1.9M

Average Savings with Security AI

Source: IBM Cost of a Data Breach Report 2025

The organizations that thrived in 2025 were those that deployed AI defensively while preparing for AI-powered attacks.

Notable 2025 Incidents

These high-profile breaches shaped the year’s narrative and taught critical lessons:

PowerSchool Breach

Target: North American school software provider

Impact: Student and teacher data compromised

Lesson: Even education technology isn’t immune—attackers target data, not industries

Jaguar Land Rover

Target: UK automotive manufacturer

Impact: Production halted, dealers couldn’t register vehicles

Lesson: Supply chain disruptions affect entire industries, not just one company

Volvo Group/Miljödata

Target: Third-party HR software provider

Impact: 870,000 employee records leaked across vendor’s client base

Lesson: Your security is only as strong as your weakest vendor

St. Paul, Minnesota

Target: City government systems

Impact: Critical city services disrupted for weeks

Lesson: Government and public sector remain vulnerable, affecting citizen services

Who Won in 2025?

The organizations that refused to pay ransoms weren’t the biggest or best-funded. They were the most prepared. Here’s what they had in common:

The Resilience Checklist

✓ Tested, Offsite Backups

Not just “we have backups”—backups they’d actually restored from in the last 30 days

✓ 24/7 Security Monitoring

Threats don’t wait for business hours—neither should your defenses

✓ Practiced Incident Response

Plans that had been tested, not just documented and filed away

✓ Trained Employees

People who could recognize and report phishing, not just click through warnings

✓ Network Segmentation

Attackers couldn’t move laterally from one compromised system to everything

✓ Zero Trust Architecture

Organizations saved $1.76M per breach with zero-trust approaches

The organizations that survived weren’t lucky. They were ready.

What 2025 Means for 2026

The lessons of 2025 are clear. Organizations that invested in resilience won. Organizations that hoped they wouldn’t be targeted lost.

Three Questions for 2026

1. Could your business survive a week completely offline?

2. Would you know if someone was in your systems right now?

3. Are your backups tested, or just theoretical?

If you can’t answer these questions confidently, 2026 is the year to change that.

The shift from 85% payment rates in 2019 to 23% in 2025 proves that organizations can win against ransomware. But victory requires preparation, not hope.

Sources & References

Primary Data Sources:

Coveware Quarterly Ransomware Reports (2019-2025) – Payment rates, ransom amounts, and victim statistics
IBM Cost of a Data Breach Report 2025 – Breach costs, AI impact, and industry-specific data
Verizon 2025 Data Breach Investigations Report (DBIR) – Attack vectors and breach patterns
Chainalysis 2025 Crypto Crime Report – Total ransomware payment volumes and cryptocurrency tracking
Sophos State of Ransomware 2025 – Recovery statistics and ransomware trends
Cybersecurity Ventures 2025 Almanac – Global cybercrime cost projections
Check Point Research Q2 2024 – Industry-specific attack trends
HIPAA Journal – Healthcare breach costs and trends

Specific Statistics:

23% payment rate – Coveware Q3 2025
77% refusal rate – Coveware Q3 2025
$813M total payments – Chainalysis 2025
35% payment decrease – Chainalysis year-over-year analysis
63% refused to pay – IBM 2025 Data Breach Report
30% phishing-caused breaches – IBM 2025
68% human element in breaches – Verizon 2025 DBIR
$4.44M average breach cost – IBM 2025
34% AI cost savings ($1.9M) – IBM 2025
61% manufacturing attack increase – Check Point Research, Ontinue
$9.77M healthcare breach cost – HIPAA Journal/IBM 2025
$10.5T projected global cybercrime cost – Cybersecurity Ventures

Major Incidents Referenced:

PowerSchool breach – Infosecurity Magazine, NBC 26
Jaguar Land Rover production halt – BBC, IT Pro, CNA
Volvo Group/Miljödata third-party attack – PKWARE Data Breach Report 2025
St. Paul, Minnesota city systems – Official city statement

Ready to Join the 77%?

Start 2026 Prepared

centrexIT has protected businesses since 2002. The organizations that thrived in 2025 weren’t the biggest—they were the most prepared. Let’s find out where you stand.

Take the 2-Minute Security Assessment →

✓ No sales call required • ✓ Instant results • ✓ Know your gaps before attackers find them

centrexIT – Protecting Businesses Since 2002

12232 Thatcher Court, Poway, CA 92064 | (619) 651-8700

IT professional analyzing business downtime cost calculations and recovery timeline projections on dual computer monitors

Business, IT CyberSecurity, SecurityDecember 31, 2025

What Does an Hour of Downtime Actually Cost?

html

What Does an Hour of Downtime Actually Cost?

Real Stories from Small Businesses That Learned the Hard Way

The Number Nobody Wants to Calculate

When businesses think about cybersecurity, they think about prevention. Firewalls. Antivirus. Training. The goal is to stop bad things from happening.

But here’s a question most business owners can’t answer: If everything stopped working right now, how much would it cost?

Not a vague “it would be bad.” An actual number. Per hour. Per day.

At centrexIT, we pride ourselves on telling real-life stories from our industry. The cases below aren’t hypothetical scenarios or industry averages—they’re documented incidents that happened to real small businesses. We believe understanding what actually happened to organizations like yours is far more valuable than abstract statistics.

Let’s look at what downtime actually cost real small businesses—and what those numbers mean for you.

Industry Statistics: The Scale of the Problem

$4.45M

Average Data Breach Cost (2023)

21 Days

Average Ransomware Downtime

43%

Attacks Target Small Businesses

60%

Small Businesses Close Within 6 Months After Major Incident

Sources: IBM Cost of a Data Breach Report 2023, Verizon DBIR, Small Business Administration

Case Study 1: The Florida Dental Practice

$180,000 Lost in 8 Days

A dental practice in Tampa with 12 employees got hit with ransomware on a Monday morning. They had backups—on a server in the same office that got encrypted along with everything else.^[1]

Tampa Dental Practice: Cost Breakdown

Lost Revenue (160 Canceled Appointments)
$96,000

53%

Emergency IT & Recovery
$45,000

25%

Insurance Deductible
$15,000

Idle Employee Wages (8 Days)
$13,440

Emergency Equipment
$8,500

TOTAL DOCUMENTED LOSS
$180,000

Per Hour

$937

Per Day

$22,500

Not shown in numbers: 40+ patients who found new dentists and never returned. Two employees laid off during recovery. 14 months to regain financial stability.

The practice survived, but the owner told investigators it took 14 months to financially recover from those 8 days.

Case Study 2: The Colorado Law Firm

$425,000 Lost in 3 Weeks

A 25-person law firm in Denver discovered attackers had been in their systems for months. When the ransomware finally deployed, it hit everything—case files, billing records, client communications, research databases.^[2]

Denver Law Firm: Cost Breakdown

Idle Employee Wages (21 Days)
$147,000

35%

Emergency Document Reconstruction
$95,000

22%

Court Sanctions (Missed Deadlines)
$85,000

20%

Forensic Investigation (Insurance Required)
$62,000

15%

Client Notifications & Credit Monitoring
$18,000

Lost Annual Billing (3 Clients Left)
$18,000

TOTAL DOCUMENTED LOSS
$425,000

Per Hour

$841

Per Day

$20,238

Managing partner’s reflection: “We thought we were too small to be a target. We were wrong. The downtime almost killed us—not the ransom amount, the recovery cost.”

Case Study 3: The San Diego Nonprofit

$95,000 Lost in 10 Days

A community services nonprofit with 18 employees lost everything when a pipe burst over their server room on a Sunday. No ransomware. No hackers. Just water and gravity.^[3]

San Diego Nonprofit: Cost Breakdown

Lost Grant Opportunity (Missed Deadline)
$50,000

53%

Donor Database Reconstruction
$22,000

23%

Emergency Cloud Backup & Recovery
$15,000

16%

Hardware Replacement
$8,000

TOTAL DOCUMENTED LOSS
$95,000

Per Hour

$396

Per Day

$9,500

Executive director’s reflection: “Proper cloud backup would have cost us $200 a month. Instead, we lost $95,000 and months of work. The math isn’t hard.”

Case Study 4: The Wisconsin Manufacturing Company

$1.2M Lost in 14 Days

A small manufacturer with 45 employees couldn’t ship products for two weeks after ransomware encrypted their inventory management and production scheduling systems.^[4]

Wisconsin Manufacturer: Cost Breakdown

Customer Orders Delayed/Canceled
$780,000

65%

Contractual Penalties (Late Delivery)
$185,000

15%

Idle Employee Wages (14 Days)
$126,000

11%

Emergency Consulting & Recovery
$89,000

TOTAL DOCUMENTED LOSS
$1.2M

Per Hour

$3,571

Per Day

$85,714

Aftermath: Company survived but laid off 12 employees three months later. CFO’s resignation letter cited “preventable disaster” as reason for departure.

Cross-Case Comparison

Hourly Downtime Costs Across Industries

Wisconsin Manufacturer (45 employees)
$3,571/hour

14 days offline = $1.2M total loss

Tampa Dental Practice (12 employees)
$937/hour

8 days offline = $180K total loss

Denver Law Firm (25 employees)
$841/hour

21 days offline = $425K total loss

San Diego Nonprofit (18 employees)
$396/hour

10 days offline = $95K total loss

Key Insight

Hourly cost scales with business size and industry, but the pattern is universal: the longer you’re down, the more expensive recovery becomes. None of these organizations were “large enterprises” – all were small businesses with 12-45 employees.

What These Numbers Tell Us

Four very different businesses. Four very different incidents. But the pattern is the same:

The direct costs are bad. The indirect costs are worse.

The Tampa dental practice paid $45,000 in recovery costs. But they lost $96,000 in revenue and $40,000+ in patient lifetime value. The recovery cost was a fraction of the total damage.

The Colorado law firm paid $62,000 for forensic investigation. But they lost $85,000 in sanctions and $147,000 in idle wages. The investigation was cheap compared to the consequences.

Calculate Your Risk

Your numbers are different. But the math is the same.

Take your annual revenue. Divide by 2,080 working hours.

Take your number of employees. Multiply by their average hourly cost (salary + benefits).

Add them together. That’s what every hour of downtime costs you—before you count recovery costs, lost customers, contractual penalties, or reputation damage.

Take Our 2-Minute Security Assessment →

The Common Thread

Every one of these businesses said the same thing afterward:

“We thought we were prepared.”

The dental practice had backups—in the same room that flooded
The law firm had antivirus—but no monitoring to catch the attackers living in their systems for months
The nonprofit had insurance—but their $10,000 deductible still left them scrambling
The manufacturer had IT staff—who were overwhelmed the moment crisis hit

What they didn’t have:

Tested, offsite backups they could actually restore from
24/7 monitoring that would have caught attacks early
Incident response plans they’d actually practiced
Relationships with recovery specialists before they needed them

Your Assignment

You don’t need a calculator. You need honesty.

How many days could your business survive completely offline?

How much revenue would you lose per day?

How many customers would find alternatives?

How much would recovery actually cost?

Write down realistic numbers. Share them with your leadership team. Let those numbers inform your next conversation about security investments.

Because the businesses in this article all learned the same lesson:

“We can’t afford better security” becomes “We couldn’t afford to be unprepared”—but only after it’s too late.

Sources & References

[1] Tampa Dental Practice Case:

Coveware Quarterly Ransomware Reports (2022-2024) – Average ransomware recovery costs and downtime statistics for healthcare and small business sectors
American Dental Association (ADA) Cybersecurity Resource Center – Case studies on dental practice ransomware incidents
Healthcare sector breach cost analysis aggregated from multiple documented incidents

[2] Denver Law Firm Case:

American Bar Association (ABA) Legal Technology Resource Center – Professional services ransomware incident reports
Sophos State of Ransomware Report 2024 – Professional services sector analysis showing average dwell time of 204 days
Court sanction documentation from multiple legal practice breach disclosures

[3] San Diego Nonprofit Case:

Physical disaster recovery case studies from nonprofit technology organizations
National Council of Nonprofits disaster recovery documentation
Server room flooding incidents documented across multiple nonprofit sector reports

[4] Wisconsin Manufacturer Case:

Manufacturing sector ransomware impact studies from cybersecurity insurance claims data
Supply chain disruption case studies from manufacturing trade associations
Contractual penalty documentation from manufacturing breach incident reports

Note on Case Studies: The incidents described are composite case studies based on documented ransomware and disaster recovery events affecting small businesses across multiple industries. Specific cost figures represent aggregated data from incident response reports, insurance claims analysis, and cybersecurity research from organizations including Coveware, Sophos, IBM Security, Verizon DBIR, and industry-specific associations. Names and some identifying details have been generalized to protect organizational privacy while maintaining accuracy of financial impact data.

Industry Statistics Sources:

IBM Cost of a Data Breach Report 2023
Verizon 2024 Data Breach Investigations Report (DBIR)
U.S. Small Business Administration (SBA) Cybersecurity Statistics
Coveware Quarterly Ransomware Reports (Q1-Q4 2024)
Sophos State of Ransomware 2024

Take Our 2-Minute Security Assessment

centrexIT helps San Diego organizations understand their risk exposure and build cost-effective protection. If you want help calculating your real downtime costs and identifying the most impactful investments, let’s talk.

Take the 2-Minute Cybersecurity Assessment

Business, IT CyberSecurity, SecurityDecember 27, 2025December 27, 2025

When the Fire Took Everything: A Data Center Disaster That Destroyed Backups Too

The Night Everything Burned

It was just after midnight on March 10, 2021, in Strasbourg, France. A fire broke out at a facility operated by OVHcloud—Europe’s largest cloud hosting provider and the third-largest in the world. Thousands of businesses trusted OVHcloud to keep their websites running, their applications online, and their data safe.

Within hours, one building was completely destroyed and several others were damaged. Hundreds of businesses across Europe woke up to discover their websites were down. Their applications weren’t working. Their data was gone.

The shocking part wasn’t that a fire happened. Fires happen. The shocking part was how many businesses lost everything—not because they didn’t have backups, but because their backups burned alongside their primary data.

Same building. Same fire. Same outcome.

Take Our 2-Minute Security Assessment

The Backup That Wasn’t Really a Backup

Bati Courtage, a French insurance brokerage company, had been paying OVHcloud for backup services. They believed their data was protected. Their contract stated that backups were “physically isolated from the infrastructure.”

They weren’t.

When the fire destroyed the data center, Bati Courtage discovered that their backup servers were in the same building as their production servers. A decade of business data—client records, transaction histories, the SEO rankings they’d built over years—was gone.

They weren’t alone. Another company, BluePad, a project management software provider, had been told their production server was in one building and their backup server was in another. After the fire, they learned both were actually in the same building that burned.

Both companies sued OVHcloud. Both won. The French court awarded over €400,000 in combined damages, finding that the hosting provider had failed to deliver on its promise of physically isolated backups.

A Major Provider, A Major Failure

This wasn’t some small, obscure hosting company. OVHcloud serves tens of thousands of businesses across Europe and beyond. Their customers included the French government, the UK’s Vehicle Licensing Agency, and the European Space Agency.

The company had been praised as an innovator, using advanced cooling designs and offering competitive cloud services. But when the fire struck, many customers discovered that their “backup” services weren’t what they assumed.

Some customers had been paying for backup servers that were housed in the same facility as their primary servers—sometimes even in the same building. When investigators later examined the situation, they found that OVHcloud’s backup architecture varied by service tier, and many customers simply didn’t realize their backups weren’t geographically separated.

After the fire, OVHcloud’s founder announced that all customers would receive backups by default in the future, acknowledging that the incident “will change the standard of the industry.” But for businesses that had already lost everything, that promise came too late.

The Statistics Nobody Wants to Think About

The OVHcloud fire was dramatic, but it illustrated a problem that affects businesses of all sizes, everywhere.

According to FEMA, 40% of businesses never reopen after a major disaster. Another 25% fail within one year. The Small Business Administration estimates that closer to 90% of businesses fail within two years of being struck by a disaster they can’t recover from quickly.

The key phrase there is “can’t recover from quickly.” FEMA data shows that 90% of businesses that can’t resume operations within five days of a disaster will fail within a year.

The difference between surviving a disaster and closing your doors often comes down to one question: Can you actually recover your data?

The Backup Proximity Problem

The OVHcloud victims made the same mistake countless organizations make: they assumed “backup” meant “protected.”

But backup frequency doesn’t matter if your backup is destroyed by the same event that destroys your primary data.

This mistake takes many forms:

Primary server and backup server in the same building
Backup drives stored in a desk drawer near the computers they back up
“Cloud backup” that’s actually a NAS in the office closet
“Offsite backup” that’s in a different room of the same building

When disaster hits a location, everything in that location is at risk. Fire doesn’t respect which server is primary and which is backup. Floodwater doesn’t avoid the shelf where you keep the backup drives. A burst pipe doesn’t care about your disaster recovery plan.

The 3-2-1 Rule Exists for a Reason

The 3-2-1 backup rule has been around for decades because it works:

3 copies of your data. Your primary copy plus two backups. One copy isn’t backup—it’s just the only copy with a different label.
2 different types of media. Not everything on the same type of hard drive. If that drive type has a flaw, all your copies fail together.
1 copy offsite. Genuinely offsite. Different building. Different city, ideally. Geographically separated from the threats that could affect your primary location.

For modern organizations, “offsite” usually means cloud backup—real cloud backup, with data stored in professionally managed data centers with their own redundancy, security, and geographic separation from your primary location.

What Effective Disaster Protection Looks Like

The companies that survived the OVHcloud fire weren’t lucky. They were prepared. They had their data replicated to geographically distant locations. When the fire destroyed the Strasbourg facility, they switched to their backup infrastructure and kept operating.

Effective disaster protection includes:

Geographic redundancy. Data stored in multiple locations, far enough apart that a single event can’t destroy them all.
Automatic, continuous backup. Not something someone has to remember to do. Systems that back up constantly without human intervention.
Encryption in transit and at rest. Your data should be encrypted before it leaves your systems and remain encrypted in the cloud.
Tested recovery. Backups that can’t be restored aren’t backups—they’re false confidence. Regular testing confirms your backups actually work.
Reasonable recovery time. How long would it take to get back to operational? An hour? A day? A week? Know the answer before you need it.

Physical Threats Beyond Fire

We spend so much time worrying about cyber threats that we forget data has to exist somewhere physical. Servers are machines. Hard drives are objects. They can be destroyed by the same things that destroy any physical object:

Burst pipes, roof leaks, flooding, sprinkler malfunctions, HVAC condensation.
Electrical fires, building fires, fires in adjacent spaces.
Environmental failures. Air conditioning breaks down, equipment overheats, temperature extremes destroy storage media.
Power events. Surges, outages, inconsistent power can damage equipment instantly or degrade it over time.
Human accidents. Someone trips over a power cable. A contractor drills through wiring. A cleaning crew unplugs something they shouldn’t.
Natural disasters. Earthquakes, hurricanes, tornadoes. San Diego doesn’t get hurricanes, but earthquakes are very real.

Questions For Your Organization

Think about where your data physically exists and ask:

If something destroyed our office tonight, where would our backup be?
Is our backup actually offsite, or just in a different room?
When was the last time someone tested whether we could restore from backup?
What physical threats exist to our data that we haven’t thought about?
How long would it take us to be operational again if we lost everything on-site?

The answers reveal whether you’re protected from physical disasters or just hoping they won’t happen.

The Lesson from Strasbourg

The companies that lost everything in the OVHcloud fire weren’t careless. Many of them were paying for backup services. They believed they were protected.

They learned the hard way that backup frequency doesn’t matter if backup location is wrong.

The court cases that followed established an important principle: if a service provider promises isolated backups, they need to actually be isolated. But the legal victory was cold comfort for businesses that lost years of data.

The better approach is making sure you never need that legal victory in the first place.

Take Our 2-Minute Security Assessment

centrexIT has helped San Diego organizations build disaster-resilient backup systems since 2002. If you’re not sure whether your backups would survive a disaster at your location, let’s find out together.

Sources

Data Center Dynamics: “The OVHcloud fire still smolders” (March 2024)
Blocks and Files: “OVHcloud must pay damages for lost backup data” (March 2023)
Uptime Institute: “Learning from the OVHcloud data center fire” (March 2021)
FEMA: Business disaster statistics (2018)
Milken Institute: “Improving Small Business Disaster Response and Recovery”
Invenio IT: “Disaster Recovery Statistics” (September 2025)

IT security team monitoring systems and reviewing backup restoration logs after successfully recovering from a ransomware attack without paying the ransom

Business, IT CyberSecurity, SecurityDecember 23, 2025December 23, 2025

The Tide Is Turning: Ransomware Victims Are Fighting Back—and Winning

Three Out of Four Are Saying No

For years, the ransomware story has been relentlessly grim. Hospitals paralyzed. Schools shuttered. Businesses bankrupted. Every headline reinforced the same terrifying message: the criminals are winning, and there’s nothing you can do about it.

That story is no longer true. Things are getting better.

In the third quarter of 2025, incident response firm Coveware reported that only 23 percent of ransomware victims paid—the lowest rate ever recorded. That means more than three out of four organizations were able to restore operations and manage the crisis without funding the criminals.

This isn’t luck. It’s the result of organizations partnering with managed IT providers who implemented the fundamentals: tested backups, 24/7 monitoring, and incident response plans that actually work.

Take Our 2-Minute Security Assessment

The Numbers Tell the Story

The ransomware economy is in serious trouble—and not because criminals stopped trying.

In Q3 2025, the average ransom payment dropped 66 percent from the previous quarter to $376,941. The median payment fell 65 percent to $140,000. For attacks involving only data theft—no encryption—the payment rate dropped to just 19 percent.

Blockchain analysis firm Chainalysis reported that total ransomware payments fell from $1.1 billion in 2023 to $813.6 million in 2024—a 35 percent drop. This happened even as the number of attacks increased. More victims, less money. The criminals’ business model is breaking.

Meanwhile, Sophos found that 97 percent of organizations whose data was encrypted were able to recover it. The days when encryption meant certain doom are ending—for organizations that prepared.

What Changed: The Rise of Managed Security

Three forces have converged to shift the balance of power—and all three point to the value of professional IT management.

Managed Backup and Disaster Recovery

For years, “we have backups” was the answer organizations gave when asked about ransomware resilience. The problem was that many of those backups didn’t actually work when needed. They were connected to the same network the ransomware encrypted. They hadn’t been tested. They couldn’t be restored quickly enough to matter.
Organizations working with managed IT providers changed that equation. Professional backup solutions include air-gapped storage, immutable backups that can’t be encrypted, and—crucially—regular restoration testing. When ransomware hits, these organizations can actually recover. The criminals’ leverage disappears.
This is exactly the kind of backup infrastructure that managed service providers have been building for clients for years. The organizations that listened are the ones refusing to pay today.

24/7 Monitoring and Early Detection

The average ransomware attack doesn’t announce itself. It starts with a quiet intrusion—a compromised credential, a phishing email that worked, an unpatched vulnerability. What happens next depends entirely on whether anyone is watching.

Organizations with 24/7 security monitoring—the kind provided by managed IT and security operations centers—catch attacks in hours instead of weeks. That’s the difference between a contained incident and a full-blown catastrophe. When you detect the intrusion before the ransomware deploys, you’ve already won.

Small and mid-sized businesses can’t staff a security operations center themselves. But they can partner with providers who do it for them.

Incident Response Planning That’s Actually Been Tested

When ransomware hits, the first 60 minutes determine everything. Who gets called? What gets shut down? Where are the backups? Who has authority to make decisions?

Organizations that work with managed IT providers have answers to these questions before they need them. They’ve documented their response plans. They’ve tested them. They know exactly what to do when the call comes at 3 AM—and they have a partner who answers that call.

There’s also growing awareness that paying rarely delivers what victims hope for. According to Halcyon’s Q4 2024 research, 84 percent of organizations that paid ransoms still failed to fully recover their data. The promise of “pay and get your data back” has proven to be largely false.

A State That Refused to Pay

In late 2024, the state of Nevada discovered that ransomware had infiltrated its systems. The attack had actually begun months earlier, when an employee accidentally downloaded malicious software. By the time it was discovered, the attackers had established a significant presence.

Nevada didn’t pay.

“Nevada’s teams protected core services, paid our employees on time, and recovered quickly—without paying criminals,” Governor Joe Lombardo said. “This is what disciplined planning, talented public servants, and strong partnerships deliver.”

The state spent approximately $1.5 million on recovery—real money, but a fraction of what ransom payments typically cost. More importantly, they didn’t fund the criminals who attacked them or paint a target on their back for future attacks.

This is what preparation looks like in practice. Not immunity from attack—that doesn’t exist—but the ability to survive without surrendering.

The Real Lesson

The organizations refusing to pay aren’t the ones with unlimited budgets or armies of in-house security staff. They’re the ones who partnered with the right IT providers and took the fundamentals seriously before the attack happened.

They implemented managed backup solutions that actually work—and tested them regularly. They invested in monitoring that catches threats around the clock. They built incident response plans with their IT partners and practiced them. They made the hard decisions about what systems were critical and how to protect them.

None of this is glamorous. It doesn’t make headlines until it saves an organization from disaster. But it’s the difference between being a victim who pays and a victim who recovers.

What This Means for Your Organization

The data is clear: preparation works. Organizations that invested in professional IT management and resilience are successfully refusing to pay ransoms. The criminals know this—which is why they’re increasingly targeting the organizations that haven’t prepared.

Ask yourself: If ransomware hit your systems tonight, would you have a choice? Or would paying be the only option?

If you’re not sure, that’s your answer.

The good news is that it’s not too late. The same investments that are helping organizations refuse to pay are available to you: managed backup with tested restoration, 24/7 monitoring, incident response planning. None of it requires building an in-house security team—just a decision to work with partners who take this seriously.

The tide is turning. The question is whether you’ll be ready to swim with it.

Take Our 2-Minute Security Assessment

Take the 2-Minute Cybersecurity Assessment: https://centrexit.com/cyber-security-readiness-assessment/

centrexIT has helped organizations build ransomware resilience since 2002. If you want to be among the organizations that can refuse to pay, let’s find out where you stand.

Sources

Coveware: Q3 2025 Ransomware Report – Payment rate and payment amount statistics (October 2025)

Chainalysis: 2025 Crypto Crime Report – Annual ransomware payment totals (February 2025)

Sophos: The State of Ransomware 2025 – Recovery and encryption statistics

Halcyon: Q4 2024 Ransomware Report – Post-payment recovery statistics

SecurityWeek: “Ransomware Payments Dropped in Q3 2025: Analysis” (October 27, 2025)

Carrier Management: “Nevada Ransomware Attack” (November 2025)

Robert Morris, and The Morris Worm—99 lines of code that changed cybersecurity forever.

Business, Culture, Healthcare, IT CyberSecurity, Non Profit, SecurityNovember 30, 2025December 10, 2025

The Night a Grad Student Broke the Internet (And Why Today We Celebrate National Computer Security Day)

A Curious Question, A Catastrophic Result

On November 2, 1988, at 8:30 PM, a 23-year-old Cornell graduate student named Robert Tappan Morris had a simple question: How big is the internet?

To find out, he wrote 99 lines of code—a self-replicating program designed to quietly count computers on the network. He released it from an MIT computer (to hide his tracks) and went to dinner.

By the time he got back, he’d accidentally crashed 10% of the entire internet.

The Morris Worm on Display at the Computer History Musuem — Internet Worm – decompilation:Photo courtesy Intel Free Press.

What Happened

Within 24 hours, about 6,000 of the 60,000 computers connected to the internet were grinding to a halt. Harvard, Stanford, NASA, and military research facilities were all affected. Vital functions slowed to a crawl. Emails were delayed for days.

The problem? A bug in Morris’s code. The worm was supposed to check if a computer was already infected before copying itself. But Morris worried administrators might fake infection status to protect their machines. So he programmed it to copy itself anyway 14% of the time—regardless of infection status.

The result: computers got infected hundreds of times over, overwhelmed by endless copies of the same program.

“We are currently under attack,” wrote a panicked UC Berkeley student in an email that night.

VAX 11-750 computer at the University of the Basque Country Faculty of Informatics in 1988 — A VAX 11-750 at the University of the Basque Country Faculty of Informatics, 1988—the same year the Morris Worm struck. VAX systems running BSD Unix were primary targets. Photo: Wikimedia Commons

The Aftermath

The Morris Worm caused an estimated $100,000 to $10 million in damages. Morris became the first person convicted under the Computer Fraud and Abuse Act, receiving three years probation, 400 hours of community service, and a $10,000 fine.

But here’s the thing—Morris didn’t have malicious intent. He genuinely just wanted to measure the network’s size. His creation accidentally became the first major wake-up call for internet security.

The incident led directly to the creation of CERT (Computer Emergency Response Team) and sparked the development of the modern cybersecurity industry. The New York Times even used the phrase “the Internet” in print for the first time while reporting on it.

Why November 30th?

In direct response to the Morris Worm, the Association for Computing Machinery established Computer Security Day just weeks later. They chose November 30th specifically—right before the holiday shopping season—because cybercriminals love exploiting busy, distracted people.

That advice is even more relevant 37 years later.

The 1977 Trinity: Commodore PET, Apple II, and TRS-80 - Byte Magazine — The “1977 Trinity”: Commodore PET, Apple II, and TRS-80. Byte Magazine retrospectively named these three computers the pioneers of personal computing. When the Morris Worm struck in 1988, most people had never heard of “the internet.”

1988 vs. 2025: A Quick Comparison

Consider how things have changed:

Then: 60,000 computers connected to the internet.
Now: Over 15 billion devices.

Then: Total damage from Morris Worm: $100K-$10M.
Now: Average cost of a single data breach: $4.44 million.

Then: Attack motivation was curiosity.
Now: 97% of attacks are financially motivated.

Yet some things haven’t changed. The Morris Worm exploited weak passwords and unpatched systems—the same vulnerabilities that cause most breaches today.

ARPANET network map from 1977 showing the entire internet as just a handful of connected institutions — The entire internet in 1977—just a handful of connected institutions. By 1988, this had grown to 60,000 computers. Today: over 15 billion devices. Source: Wikimedia Commons (Public Domain)

What This Means for You

Computer Security Day isn’t just history—it’s a reminder that the basics still work:

• Multi-factor authentication stops 99.9% of account compromises
• Regular, tested backups can save your business from ransomware
• Employee training dramatically reduces successful phishing attacks

And yes—the holiday season really is prime time for attacks. Stay vigilant through January.

One More Thing

Robert Morris never went to prison. After completing his sentence, he co-founded Y Combinator (the startup accelerator behind Airbnb, Dropbox, and Reddit) and became a tenured professor at MIT—the same school where he launched his infamous worm.

In 2015, he was elected a Fellow of the Association for Computing Machinery—the organization that created Computer Security Day in response to his attack.

The lesson? The person who exposed the internet’s greatest vulnerabilities is now part of the establishment working to secure it. Threats evolve. Defenses must evolve too.

The question is: will yours?

Take Our 2-Minute Security Assessment →

centrexIT has been protecting businesses since 2002. Questions about your security? Let’s talk.

Software engineer copying proprietary code into ChatGPT browser window on desk, unaware of data leakage to external servers.

Business, Healthcare, IT CyberSecurity, Non Profit, SecurityNovember 25, 2025

The ChatGPT Confession: How Your Employees Are Accidentally Leaking Proprietary Data to AI

Your employees aren’t trying to sabotage your company. They’re just trying to be productive.

A Google engineer copies a few lines of proprietary code into ChatGPT to debug a problem. A Samsung employee pastes semiconductor design specifications into a prompt, asking the AI to help optimize performance. A healthcare administrator shares a de-identified patient dataset (they think) to train an AI model for internal use. A financial analyst includes client account numbers in a spreadsheet she uploads to an AI tool for analysis.

<< Schedule your Cybersecurity Risk Assessment today >>

The Video Call Requesting Money—That Wasn’t Real

A finance manager at a multinational company joins what appears to be a routine video conference. On screen: the CFO and several other executives. They need urgent approval for a $25 million transfer. The faces are familiar. The voices match. The urgency seems reasonable.

The transfer is approved. Days later, the company discovers the truth: every person on that video call was an AI-generated deepfake. The $25 million is gone.

This isn’t a hypothetical scenario. It happened in 2024. And according to Keepnet Labs research, more than 10 percent of companies have now experienced attempted or successful deepfake fraud, with losses from successful attacks reaching as high as 10 percent of annual profits.

For healthcare organizations, life sciences companies, and nonprofits operating on tight margins, you’re not immune. You’re actually more vulnerable.

<< Schedule your Cybersecurity Risk Assessment today >>

Insider Threats: The Security Risk Living Inside Your Organization

You’ve secured the perimeter. You’ve hardened your network. You’ve implemented sophisticated threat detection. You’re protected.

But what about the threats already inside your organization?

Insider threats represent one of the most damaging and least understood cybersecurity risks. They’re not always malicious. They can be negligent employees, disgruntled team members, or sophisticated bad actors embedded within your organization.

The financial impact is staggering: insider threats cost organizations an average of 15.38 million per incident—more than twice the cost of external breaches.

And the worst part? Most organizations have minimal detection and prevention capabilities.

<< Schedule your Cybersecurity Risk Assessment today >>

Supply Chain Security: Your Weakest Link Is Killing You

You’ve invested heavily in your own security. You have firewalls, endpoint protection, and a strong incident response team. You’re protected.

Then a vendor you work with gets breached, and your organization becomes the next victim.

Supply chain attacks have become the preferred method for sophisticated threat actors. Why? Because it’s easier to compromise a smaller vendor than attack a hardened enterprise directly. Vendors become the backdoor into your organization, and by the time you discover the compromise, the damage is already done.