What clinic IT downtime actually costs (and how to model it for your practice)

The four cost layers of clinic downtime

1. Direct revenue loss. Billed visits that did not happen.
2. Recovery cost. Overtime, vendor incident fees, hardware, data reconstruction.
3. Reputational and patient-trust cost. Churn, negative reviews, referral pipeline impact.
4. Regulatory and legal cost. OIPC notification, potential complaints, professional college reporting.

Most published "downtime cost" numbers from enterprise IT vendors only address the first two and dramatically over-state the result for a 6-physician family clinic. The model below is the one we use in actual Saskatchewan engagements.

Layer 1: direct revenue loss

For a Saskatchewan family practice billing through fee-for-service:

• Typical billed-services-per-physician-hour: 3 to 5 patients, averaging $35–$55 CAD per encounter.
• Per-physician hourly revenue at risk: $100–$275.
• A 6-physician clinic loses $600–$1,650 per hour when the EMR is down and patients are sent home.

A pharmacy is different. The line at the dispensary backs up but revenue mostly defers rather than disappears — you still fill the script tomorrow. The exception is OTC and front-of-store transactions during the outage, which are lost. For a typical community pharmacy, model lost revenue at $200–$500 per hour with a recovery tail.

Layer 2: recovery cost

The line items that show up on every recovery invoice:

Layer 3: reputational and patient-trust cost

The hardest layer to quantify but the one that shows up in the trailing 12 months. A 2024 CMA member survey put patient willingness to switch clinics after a "significant data or access incident" at roughly 18%. Applied to a 6-physician panel of ~9,000 active patients with average annual billings of $180 per patient, the trailing-year revenue at risk is in the $200,000+ range — and most of it is invisible because patients quietly stop booking rather than announcing the move.

Layer 4: regulatory and legal

If the downtime is caused by a breach (ransomware, unauthorized access), the OIPC notification clock starts. Direct legal cost is usually $5,000–$25,000 for outside counsel to walk through the notification and any complaints. The college and professional liability layer is engagement-specific.

Worked example: a 6-physician Regina clinic, 8 hours of downtime

• Direct revenue loss: 6 physicians × 8 hours × $185 average = $8,880.
• Recovery cost (mid-range, no breach): $12,000.
• Reputational tail (conservative, 1% of patients churn): ~$16,200 / year.
• Total first-year impact: roughly $37,000 CAD for a single eight-hour incident.

If the same incident is a ransomware event with a 3-day recovery and an OIPC notification, the total comfortably exceeds $150,000 CAD before any insurance offset.

What actually reduces these costs

• Image-based backups with an immutable copy, tested quarterly. Cuts data-reconstruction from days to hours.
• Documented EMR downtime procedure on paper at every workstation. Lets the clinic keep seeing patients on paper rather than sending them home.
• EDR with 24/7 SOC monitoring. Compresses ransomware dwell time from days to minutes; many incidents are contained before encryption.
• A named technician and a 15-minute response SLA. Removes the 2–4 hours most clinics lose finding someone who will answer.
• Cyber insurance sized to the worked example, not the marketing number.

Want us to run this model with your actual numbers? Book a free 30-minute downtime risk review and we will send you a one-page summary you can take to your partners or your insurer.