A multi-facility hospital group with 13,000 employees got breached. The response required 21 consultants billing roughly $275 an hour for six months to a year, or $20 to $30 million in consulting alone before hardware or legal. Steven, one of our senior engineers, sat on-site as their interim CISO. The defining failure wasn't a missing tool. They had a tabletop exercise document. Nobody had practiced it. When the breach hit, no one knew whose job it was to call the lawyer, the carrier, or the MSP, which is exactly where the HIPAA breach notification rule stops being abstract.
The 60-second version
- A 13,000-employee hospital group was compromised. Fornida placed a senior engineer on-site as interim CISO.
- The IR effort grew to 21 consultants at ~$275/hr for six months to a year, $20–30M in consulting alone, before hardware or legal.
- The hospital had a written response plan and documented tabletops. They were never rehearsed.
- The chaos wasn't technical. It was role clarity: who calls the carrier, the lawyer, the MSP? Nobody knew.
- A plan on paper isn't readiness. Readiness is rehearsal, especially when breach-notification obligations start immediately.
What 21 consultants actually buys you
When a 13,000-person organization gets breached, the first instinct is headcount.
They had 20 other consultants that came in. So a total of like 21 consultants billing at something like $275 an hour for six months to a year. So they spent $20 to $30 million just on consultants, not talking all the hardware.
— Farzad Vahid, CEO, Fornida
What 21 consultants does not automatically buy is coordination. Each one came in with their own playbook and their own definition of done. Without a single accountable structure for the response, it turned into 21 parallel efforts pointed at the same incident.
It was a complete mess. A lot of people were pointing fingers, trying to eradicate the threat actors. There's so much PII data that was released because, 13,000 just employees, you can imagine the amount of customers they had.
— Farzad Vahid
The tabletop that lived only on paper
Most regulated environments we walk into have a binder. The plan is, on paper, fine.
All these big hospitals have a response plan. They have a tabletop that they go through exercise. But what we found was a lot of these tabletop exercises just weren't being done. Like, people weren't doing what they were supposed to be doing. And that's why our employee that went there as the CISO was just ripping his hair out.
— Farzad Vahid
A tabletop exercise is the named ritual: leadership, IT, legal, comms, and the security partner in a room running a mock incident. Somebody reads a script ("It's 4am, your SOC just paged you about anomalous data egress from a finance laptop. Go.") and the room walks through the next four hours in real time. In healthcare, that rehearsal is where you find out whether the breach-notification chain actually works before the HIPAA clock starts. The point isn't the document. It's the gaps the document doesn't show.
When something happens at your network, whose job is it to call the lawyers? Whose job is it to call the cybersecurity insurance company? Whose job is it to call our MSP? If you don't do that exercise, everybody's pointing at each other. Well, I thought that was your job. I thought that was your job.
— Farzad Vahid
The hospital had the document. They didn't have the answers.
What Steven actually did on-site
The job of an interim CISO during an active engagement is mostly not technical. Eradication was already running across multiple firms. What the organization needed was role clarity. Naming, on a whiteboard:
- Single accountable owner for eradication
- Single accountable owner for communications, internal and external
- Who calls the cyber-insurance carrier, and what the first thing out of their mouth is
- Who calls outside counsel, and what counsel needs to hear
- Who briefs the board, on what cadence, with what detail
None of that is technical. All of it has to be answered before the technical work has a coherent shell to operate inside. When 21 firms are billing simultaneously and nobody can answer in thirty seconds, consulting spend grows every week without the incident shrinking.
He was like, I don't understand. Maybe it's the culture in this company. People just don't do what they're supposed to be doing. They just flat out don't do it. Maybe it was years of bad culture, I'm not really sure.
— Farzad Vahid
The fix isn't a tool. The fix is the rehearsal.
What this means for any business, even a 30-person one
The hospital is the extreme version. The pattern is universal. Three things are true at every scale:
- The HIPAA breach notification rule forces role clarity, not just documentation. Hiring 21 firms didn't fix the hospital's problem. Naming five accountable owners would have started to. Same at 30 employees: who calls the bank, who calls the lawyer, who calls the MSP, who owns notification decisions, written down and rehearsed.
- A tabletop has to be real to count. Read from a script. Set a clock. Don't pause to check the binder. If somebody can't answer in real time, that's the gap. That's the whole point.
- Cyber security incident response services still matter, but they sit downstream of readiness. $20-30M of billed time, and the incident dragged on because the coordination layer wasn't there. Spending more on response is not the same as being ready for it.
The eye-opening part of working a breach at that scale isn't the technical complexity. It's how much of the chaos was avoidable, by an exercise the organization had already paid to write.
See what's exposed before someone else does
Most of what trips up a real incident response (missing MFA, gaps in the email layer, SMS-based MFA instead of authenticator apps, no behavioral monitoring on endpoints) is visible in a 30-minute scan. We've already uncovered hundreds of critical issues for other clients with this scan, most of them companies that thought they were fine.
If you don't know what a threat actor would find inside your network right now, book a free vulnerability assessment. 30 minutes. Spots are limited each month. Find the gap before someone else does.
