Quarantining (containment) is the most important thing to do after a healthcare breach since it stops the situation from growing worse when physicians still require systems to work. Disconnecting certain devices from the network, turning off wireless access, or shutting down only the affected part of the business instead of the whole system are all examples of containment.
According to Perspectives in Health Information Management, healthcare organizations are generally fragile and “healthcare entities are not prepared to withstand cyberattacks due to the complexity of newly implemented technologies.” Ransomware attacks can quickly turn into a safety problem because “successful cybersecurity attacks, especially ransomware, render PHI unavailable and unreadable.”
Quarantining is needed to give administrators time to get in touch with security, IT, clinical leadership, legal, and communications, who can tell stakeholders, fix the entry point, and safely restore services instead of making rushed decisions under pressure.
Quarantine is putting infected systems, networks, or devices in a separate area as soon as a threat is found so that the attack cannot spread. Public health guidance from Evidence-Based Practice for Public Health Emergency Preparedness and Response captures the core idea neatly: “Quarantine is the physical separation and restriction of movement” of something that may carry risk.
In the Eight Aggregated Response Strategies (EARS) framework, there are also reactive steps like disconnecting infected endpoints, turning off wireless access, or shutting down only the affected segment instead of the whole environment. The goal is to keep important clinical procedures going while keeping the blast zone separate and preserving evidence for inquiry.
Paubox can support that workflow at the entry point by helping teams spot and contain suspicious email activity faster, which reduces the chance that a single compromised inbox turns into widespread system exposure. Segregated systems also need to stay stable enough to support investigation and, when necessary, controlled observation of suspicious traffic.
See also: What is a quarantined email?
Quarantining is the best way to get a return on investment after a breach in healthcare because it stops losses from getting worse while the company is still losing time, money, and capacity. A JMIR Formative Research study that looked at a ransomware attack at a Portuguese hospital found that the daily costs of inactivity for a mid-sized facility serving about 350,000 patients were about €115,882 to €463,532 (approximately $135,786.25 to $546,687.25 USD) , caused by disrupted external consultations, hospitalizations, and emergency services under national contract programs.
Over 21 days, that exposure could grow to up to $10 million USD if operations stay impaired and isolation doesn't happen quickly enough. Sensitivity testing in the same work shows why containment is the economic hinge. Isolating affected segments (modeled across ~25% to 100% isolation using approaches like VLAN-based segmentation or air-gapping) reduces cascading failure, preserves operational throughput, and protects revenue streams.
In practice, this is helpful because teams can rapidly identify and contain suspicious email-driven entry points with tools like Paubox, so the incident does not keep expanding while response work is underway.
Healthcare data breaches do not happen by accident; they happen as part of planned efforts that lean hard on human weak points. Another Perspectives in Health Information Management study frames that problem bluntly: “We found that a vast majority of health records were compromised due to poor human security.” Hacking and IT-driven incidents still dominate modern breach reporting, and networked environments make them scalable once attackers get a foothold.”
The 2025 Healthcare Email Security Report analyzes 180 email-related breaches reported to OCR (January 1, 2024 to January 31, 2025) and finds that only 5% of known phishing attacks are reported by employees, which means attackers can run multi-step plays while defenders stay blind to the initial foothold.
Attackers usually start with phishing or stealing credentials, then go sideways, stay in the system, and get or steal enormous amounts of data. This is similar to the multi-step paths that have been seen in major incidents. Phishing is a high-impact entry point that sticks out in the literature because one event can expose a lot of records compared to other vectors. Email-led attacks can then become an issue for the whole company when defenses fail.
The study notes that “phishing and cyberattacks led to the highest mean number of records affected at 421,038 and 153,644 records.” That pattern supports the idea that email-led access can escalate from one inbox to enterprise-wide exposure when segmentation, detection, or identity controls fail.
Campaign-style dissemination is simpler in healthcare settings. EHR connectivity, shared credentials, and networked devices may turn a small foothold into a system-wide problem, especially when people who want to make money seek the most power and the most data value.
See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)
Common steps include disabling accounts, forcing password resets, blocking malicious domains/IPs, disconnecting endpoints, shutting off Wi-Fi for affected areas, and segmenting the network.
Not usually. Good containment aims for targeted isolation so critical clinical services stay available.
Segmentation limits what an attacker can reach, so isolation can happen at the segment level instead of taking everything offline.
Not always. Powering off can destroy volatile evidence; teams often isolate the device from the network first, then decide based on patient safety and forensic needs.