Technology

Sure, they'll return the data, but why wouldn't they keep a copy? It's not like there's any way to prove that it's not copied. So they could get a $100k payday from the victim, plus whatever they can get on the black market. They'll probably split up the data so it's not as obvious where it came from (don't want to scare away the next victim).

Any data that's ransomed should be assumed to be available to attackers. That means the first people they should contact are the police, because until they pay the ransom, the attackers probably won't leak it (that would reduce the chance that you'd pay the ransom). There's usually a time limit, but they could probably stall until the police get involved. If the police can catch them, there's a chance they could protect their customers from having their private medical data from being sold.

I get it, breaches happen, but there's no excuse for not having off-site backups. 1TB at Backblaze B2 costs $6/month, so assuming that's enough (it probably is), $100k could pay for over 1000 years of backups... And it's probably something they could pay a contractor once to set up and then largely forget about it until they need it. Or if you use AWS, just turn on backups there, it'll probably cost a little more, but it'll be way easier.

The process of should be:

1. get threatening ransom notice
2. call the police
3. patch the leak and restore from backup onto a new machine (can even hire a contractor to do it in <1 week)
4. delay the ransom person ("I need time to get the money together...")
5. repeat 4 while operating business as usual as long as you can to buy the police time

Your data will probably get leaked on the dark web regardless, so just accept that at step 1.