The phishing simulation was supposed to be a formality. Then 34% of the staff clicked the link.
This is a composite account drawn from compliance engagements we run regularly — a South Florida healthcare billing and practice management firm whose compliance journey started with a number nobody expected, and ended in a place nobody thought they’d reach in under a year.
A 31-person healthcare billing and revenue cycle management firm serving medical and dental practices across South Florida and beyond. They handled PHI on behalf of multiple covered entities, making them a HIPAA business associate. They processed billing data that included Social Security numbers and insurance identifiers, adding state privacy law obligations. Several of their practice clients had asked them to demonstrate compliance as a condition of renewing contracts.
They had a compliance program on paper: a signed BAA template, a privacy policy on the website, and an annual training that employees completed online. Their IT was managed by a part-time consultant who handled tickets reactively. By most definitions, they thought they were reasonably compliant.
The engagement started, as all NerdSquad compliance engagements do, with a baseline assessment. As part of that assessment, we ran a simulated phishing campaign — a realistic credential-harvesting email designed to look like a Microsoft 365 login request.
34% of the staff clicked the link and entered their credentials.
In a firm handling PHI for dozens of medical practices, one-third of employees would have handed their login credentials to an attacker without hesitation. The firm’s leadership was genuinely stunned. The IT consultant had never run a simulation.
None of this was malicious. It was the predictable result of reactive IT and a compliance program that existed on paper but hadn’t been connected to the technology environment.
Months 1–2: The critical layer. EDR deployed across all 31 workstations. MFA enforced on all accounts. Former employee accounts terminated. Cloud backup established with documented, tested recovery procedures. WORM-compliant email archiving deployed and configured to capture all business communications.
Month 2: The risk assessment. Documented, completed, signed. Asset inventory, threat identification, vulnerability scoring, risk prioritization, and remediation roadmap. The firm now had the foundational compliance document it had never had. See what a compliance risk assessment actually covers.
Months 2–3: Training launch. Structured security awareness training rolled out to all 31 employees with role-appropriate content. Completion tracked and documented.
Month 3: Second phishing simulation. Click rate: 11%. Down 23 points in six weeks — and a documented, dated result showing measurable progress.
Months 3–6: Policy documentation. Written information security policies, incident response plan, BAA inventory and review, vendor security assessments for all third-party software used in PHI workflows.
Month 6: Third phishing simulation. Click rate: 4%. Employees who clicked received immediate in-browser education. Results documented with individual and aggregate records for compliance files.
Months 6–12: Steady state. RMM running across all devices. Patch management on automated schedule. Quarterly compliance reviews generating updated documentation.
One of the firm’s largest clients — a multi-location dental group — required a compliance review as a condition of renewing a five-year contract. The client’s compliance consultant reviewed the firm’s documentation package and found: a completed and current risk assessment, documented training records with simulation results showing improvement from 34% to 4%, MFA enforcement across all accounts, EDR on every device, tested backup with documented recovery times, WORM-compliant archiving, a written incident response plan, and a full vendor and BAA inventory.
The contract renewed. The dental group also asked if NerdSquad could be introduced to two of their other vendor partners.
Eight months into the engagement, our EDR flagged an unusual process on a billing coordinator’s workstation — behavior consistent with credential harvesting malware. The machine was automatically isolated. Infection vector: a malicious attachment in a personal email opened on a company device during lunch.
Total impact: one isolated workstation, cleaned and restored from backup in four hours. Zero PHI accessed. Zero breach notification required. Zero client impact. Under the old setup, that same incident would likely have spread laterally, encrypted billing data, and triggered a breach notification process affecting dozens of medical practices. Instead, it was a Tuesday afternoon ticket.
The firms that go through this process are almost never negligent. They’re busy. The gap between what they have and what they need isn’t always obvious until someone measures it. The phishing simulation, the environmental audit, the risk assessment — these aren’t punitive. They’re diagnostic. What you find is fixable. What you don’t find is what gets you.
For more on the training program that drove the click rate from 34% to 4%, see Security Awareness Training: The Compliance Requirement That Actually Works. For the broader compliance framework, see Can you help us meet compliance requirements like HIPAA, PCI, and SOC 2?