[{"data":1,"prerenderedAt":360},["ShallowReactive",2],{"blog-stories/recovered-in-48-hours":3},{"id":4,"title":5,"body":6,"category":340,"date":341,"dateModified":341,"description":342,"draft":343,"extension":344,"faq":345,"featured":343,"headerVariant":340,"image":345,"keywords":345,"meta":346,"navigation":347,"ogDescription":348,"ogTitle":345,"path":349,"readTime":350,"schemaOrg":351,"schemaType":352,"seo":353,"sitemap":354,"stem":355,"tags":356,"twitterCard":358,"__hash__":359},"blog/blog/stories/recovered-in-48-hours.md","How a Healthcare Scheduling Platform Recovered from a Breach in 48 Hours",{"type":7,"value":8,"toc":318},"minimark",[9,16,21,24,27,31,77,81,86,89,93,96,100,103,107,110,120,124,128,131,135,138,142,145,149,152,174,177,181,184,210,213,217,220,259,287,306],[10,11,12],"tldr",{},[13,14,15],"p",{},"When an attacker gained access to a healthcare scheduling platform's admin panel through a compromised team member's credentials, the team had 48 hours of intense incident response. Having a plan, clear roles, and good backups made the difference. This is the detailed timeline of how they contained the breach, communicated with customers, and came out stronger.",[17,18,20],"h2",{"id":19},"hour-0-discovery","Hour 0: Discovery",[13,22,23],{},"The platform's monitoring system flagged unusual activity at 11:47 PM on a Thursday. An admin account was accessing patient scheduling records in a pattern that didn't match normal usage. Thousands of records in minutes, no pauses, no filtering.",[13,25,26],{},"The alert went to the on-call engineer, who escalated immediately. By midnight, the team knew they had a problem.",[17,28,30],{"id":29},"the-48-hour-timeline","The 48-Hour Timeline",[32,33,34,41,47,53,59,65,71],"timeline",{},[35,36,38],"timeline-item",{"time":37},"Hour 0-2: Containment",[13,39,40],{},"Revoked all admin sessions. Reset all admin passwords. Enabled IP restrictions on admin panel. Took the suspicious account offline entirely.",[35,42,44],{"time":43},"Hour 2-6: Investigation",[13,45,46],{},"Reviewed all logs for the past 30 days. Identified the entry point: a phishing email compromised an admin's credentials. The attacker had been in the system for 4 hours before detection.",[35,48,50],{"time":49},"Hour 6-12: Assessment",[13,51,52],{},"Determined scope of data accessed. 3,400 customer records were viewed. No payment data (stored with Stripe). No evidence of data exfiltration beyond viewing.",[35,54,56],{"time":55},"Hour 12-18: Legal and Communication Prep",[13,57,58],{},"Consulted with lawyer about notification requirements. Drafted customer communication. Prepared internal documentation.",[35,60,62],{"time":61},"Hour 18-24: Customer Notification",[13,63,64],{},"Sent personalized emails to all 3,400 affected customers. Set up dedicated support channel. Published a blog post explaining what happened.",[35,66,68],{"time":67},"Hour 24-36: Security Hardening",[13,69,70],{},"Implemented mandatory 2FA for all admin accounts. Added additional monitoring rules. Reviewed all user permissions and removed unnecessary access.",[35,72,74],{"time":73},"Hour 36-48: Follow-up and Documentation",[13,75,76],{},"Responded to customer inquiries. Conducted post-mortem. Updated incident response plan based on learnings.",[17,78,80],{"id":79},"what-went-right","What Went Right",[82,83,85],"h3",{"id":84},"_1-they-had-monitoring","1. They Had Monitoring",[13,87,88],{},"The unusual access pattern triggered an alert within 4 hours. Without monitoring, this could have gone undetected for days or weeks.",[82,90,92],{"id":91},"_2-they-had-a-plan","2. They Had a Plan",[13,94,95],{},"The team had a basic incident response plan documented. When the alert came, they didn't have to figure out what to do. They followed the checklist.",[82,97,99],{"id":98},"_3-they-communicated-quickly","3. They Communicated Quickly",[13,101,102],{},"Within 24 hours, every affected customer had a personalized email. Customers appreciated being told directly rather than hearing it from the news.",[82,104,106],{"id":105},"_4-they-were-honest","4. They Were Honest",[13,108,109],{},"The company's communication didn't minimize or hide anything. They stated exactly what was accessed, how it happened, and what they were doing about it.",[111,112,113],"lesson-box",{},[13,114,115,119],{},[116,117,118],"strong",{},"Key insight:"," Speed of response matters, but accuracy matters more. The team could have sent notifications faster, but they waited until they understood the full scope. Half-accurate information creates more problems than a slight delay.",[17,121,123],{"id":122},"what-went-wrong","What Went Wrong",[82,125,127],{"id":126},"_1-no-2fa-on-admin-accounts","1. No 2FA on Admin Accounts",[13,129,130],{},"The breach happened because a single password was compromised. If the company had required 2FA, the stolen password alone wouldn't have been enough.",[82,132,134],{"id":133},"_2-overly-broad-admin-access","2. Overly Broad Admin Access",[13,136,137],{},"The compromised account could access all customer records. Most admin tasks don't need that level of access. The team should have had tiered permissions.",[82,139,141],{"id":140},"_3-no-phishing-training","3. No Phishing Training",[13,143,144],{},"The team member fell for a credential phishing email. Regular security awareness training could have prevented this.",[17,146,148],{"id":147},"customer-reactions","Customer Reactions",[13,150,151],{},"The team expected backlash. They prepared for angry emails and cancellations. The actual response surprised them:",[153,154,155,162,168],"ul",{},[156,157,158,161],"li",{},[116,159,160],{},"85%"," thanked the company for the transparent communication",[156,163,164,167],{},[116,165,166],{},"12%"," had questions but remained customers",[156,169,170,173],{},[116,171,172],{},"3%"," canceled their accounts",[13,175,176],{},"Several customers specifically said the company's handling of the breach increased their trust. They'd seen other companies try to hide breaches, and the transparency stood out.",[17,178,180],{"id":179},"the-recovery-cost","The Recovery Cost",[13,182,183],{},"Beyond the 48 hours of crisis management, the incident had ongoing costs:",[153,185,186,192,198,204],{},[156,187,188,191],{},[116,189,190],{},"$4,500"," in legal consultation",[156,193,194,197],{},[116,195,196],{},"~40 hours"," of engineering time for security improvements",[156,199,200,203],{},[116,201,202],{},"~20 hours"," of customer support handling inquiries",[156,205,206,209],{},[116,207,208],{},"3 customers lost"," (roughly $300/month in revenue)",[13,211,212],{},"Total direct cost: approximately $10,000-15,000. Far less than it could have been with slower response or worse handling.",[17,214,216],{"id":215},"permanent-changes","Permanent Changes",[13,218,219],{},"After the incident, the healthcare scheduling platform made these permanent changes:",[221,222,223,229,235,241,247,253],"ol",{},[156,224,225,228],{},[116,226,227],{},"Mandatory 2FA"," for all team members, no exceptions",[156,230,231,234],{},[116,232,233],{},"Role-based access"," with minimum necessary permissions",[156,236,237,240],{},[116,238,239],{},"Quarterly security training"," including phishing simulations",[156,242,243,246],{},[116,244,245],{},"Enhanced monitoring"," with lower alert thresholds",[156,248,249,252],{},[116,250,251],{},"Regular access reviews"," to remove unnecessary permissions",[156,254,255,258],{},[116,256,257],{},"Documented incident response"," updated with lessons learned",[260,261,262,269,275,281],"faq-section",{},[263,264,266],"faq-item",{"question":265},"How do I create an incident response plan?",[13,267,268],{},"Start simple: document who to contact, how to revoke access, where logs are stored, and draft templates for customer communication. You can expand it over time, but having something basic is better than nothing.",[263,270,272],{"question":271},"When should I notify customers about a breach?",[13,273,274],{},"As soon as you understand the scope. Many jurisdictions require notification within specific timeframes (72 hours for GDPR). Even without legal requirements, faster is generally better for maintaining trust.",[263,276,278],{"question":277},"Should I notify customers if no data was exfiltrated?",[13,279,280],{},"If their data was accessed (even just viewed), they should know. The definition of \"breach\" varies by jurisdiction, but transparency is usually the right call regardless of legal requirements.",[263,282,284],{"question":283},"What monitoring should I have in place?",[13,285,286],{},"At minimum: alerts for unusual login patterns, bulk data access, access from new locations, and failed login attempts. Many cloud providers offer these features built-in.",[288,289,290,296,301],"related-articles",{},[291,292],"related-card",{"description":293,"href":294,"title":295},"Another incident response story","/blog/stories/customer-data-breach","The Customer Email That Started a Crisis",[291,297],{"description":298,"href":299,"title":300},"The long road to recovery","/blog/stories/customer-trust-rebuilt","Rebuilding Customer Trust After a Breach",[291,302],{"description":303,"href":304,"title":305},"Be prepared for when things go wrong","/blog/checklists/incident-response-checklist","Incident Response Checklist",[307,308,311,315],"cta-box",{"href":309,"label":310},"/","Start Free Scan",[17,312,314],{"id":313},"be-prepared","Be Prepared",[13,316,317],{},"Find vulnerabilities before they become incidents.",{"title":319,"searchDepth":320,"depth":320,"links":321},"",2,[322,323,324,331,336,337,338,339],{"id":19,"depth":320,"text":20},{"id":29,"depth":320,"text":30},{"id":79,"depth":320,"text":80,"children":325},[326,328,329,330],{"id":84,"depth":327,"text":85},3,{"id":91,"depth":327,"text":92},{"id":98,"depth":327,"text":99},{"id":105,"depth":327,"text":106},{"id":122,"depth":320,"text":123,"children":332},[333,334,335],{"id":126,"depth":327,"text":127},{"id":133,"depth":327,"text":134},{"id":140,"depth":327,"text":141},{"id":147,"depth":320,"text":148},{"id":179,"depth":320,"text":180},{"id":215,"depth":320,"text":216},{"id":313,"depth":320,"text":314},"stories","2026-02-17","A step-by-step timeline of incident response that worked. From discovery to recovery in 48 hours at a healthcare scheduling startup, including the critical decisions and lessons learned.",false,"md",null,{},true,"A step-by-step timeline of incident response that worked at a healthcare scheduling platform.","/blog/stories/recovered-in-48-hours","12 min read","[object Object]","BlogPosting",{"title":5,"description":342},{"loc":349},"blog/stories/recovered-in-48-hours",[357],"Recovery","summary_large_image","uKFVSrdOvDewgzpiuAEbuo5V1WIesmR_apo7rGJKtx0",1775843936275]