Back to Intelligence

AdaptHealth Data Breach: Detecting and Mitigating PHI Exfiltration

SA
Security Arsenal Team
July 3, 2026
5 min read

Introduction

AdaptHealth, a major provider of home medical equipment and sleep therapy products, has confirmed a material cybersecurity incident resulting in the theft of patient data. For healthcare defenders, this is a critical signal. The compromise of Protected Health Information (PHI) is not just a regulatory headache under HIPAA; it is often a precursor to targeted phishing campaigns against patients and ransomware follow-on attacks.

The incident highlights a harsh reality in 2026: the healthcare supply chain remains a prime target. When an entity managing sensitive patient histories and financial data is breached, the blast radius extends far beyond the corporate network. Defenders must assume that adversary tools used in this campaign—likely credential harvesting tools or web shell variants—are currently in circulation against similar infrastructure.

Technical Analysis

While specific CVEs were not disclosed in the initial reports, the classification of a "material" incident involving data theft suggests a sophisticated attack chain, likely bypassing perimeter defenses via compromised credentials or a zero-path web vulnerability on patient portals.

  • Affected Assets: The breach involves systems storing Personally Identifiable Information (PII) and PHI. In the context of AdaptHealth, this includes databases for sleep therapy compliance, diabetes supply orders, and billing records.
  • Attack Vector (Defensive View): Adversaries typically gain initial access through phishing or brute-forcing Remote Desktop Protocol (RDP) / VPN credentials. Once inside, they perform lateral movement to locate file shares or database servers with high concentrations of patient data.
  • Exfiltration Mechanism: Data theft of this magnitude rarely happens via HTTPS uploads in small batches. We generally see the use of archiving tools (7-Zip, WinRAR) to compress large volumes of .pdf, .docx, and .csv files before moving them to cloud storage or staging servers for exfiltration.
  • Exploitation Status: Confirmed active exploitation. The data is confirmed stolen, implying the attackers successfully navigated egress controls.

Detection & Response

Defensive operations must pivot from "prevention" to "detection of post-compromise activity." We need to hunt for the behaviors associated with data staging: mass compression, unusual file access patterns, and unauthorized database exports.

SIGMA Rules

YAML
---
title: Potential PHI Mass Archiving Activity
id: 8a4d2e10-5f31-4c9a-9b12-3e4a5f6d7e8c
status: experimental
description: Detects attempts to compress large numbers of files, potentially indicating data staging for exfiltration. Focuses on common archiving tools.
references:
  - https://attack.mitre.org/techniques/T1560/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.collection
  - attack.t1560.001
logsource:
  category: process_creation
  product: windows
detection:
  selection_tools:
    Image|endswith:
      - '\7z.exe'
      - '\winrar.exe'
      - '\zip.exe'
      - '\tar.exe'
  selection_args:
    CommandLine|contains:
      - '-a'
      - 'compress'
      - '-m0'
  condition: selection_tools and selection_args
falsepositives:
  - Legitimate system backups by IT administrators
level: high
---
title: Suspicious Microsoft Access Database Scripting
id: 9b5e3f21-6a42-5d0b-0c23-4f5b6a7e8f9d
status: experimental
description: Detects execution of Microsoft Office Access with potential scripting flags, often used to export databases or tables rapidly.
references:
  - https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.execution
  - attack.t1059.005
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\msaccess.exe'
    CommandLine|contains:
      - '/x'
      - '/cmd'
      - 'Export'
  condition: selection
falsepositives:
  - Legitimate database administration tasks
level: medium

KQL (Microsoft Sentinel)

This query hunts for processes that are reading a high volume of files in a short timeframe, a common indicator of data theft scripts.

KQL — Microsoft Sentinel / Defender
let TimeBin = 1h;
DeviceProcessEvents
| where Timestamp > ago(TimeBin)
| where InitiatingProcessFileName in ('cmd.exe', 'powershell.exe', 'python.exe', 'wscript.exe')
| summarize Count = count() by DeviceName, InitiatingProcessFileName, AccountName, bin(Timestamp, TimeBin)
| where Count > 100
| extend AlertDetail = strcat('High volume of process execution initiated by ', InitiatingProcessFileName, ' on ', DeviceName)
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, Count, AlertDetail
| order by Count desc

Velociraptor VQL

This artifact hunts for compressed archives created in user directories or temp folders where data staging often occurs.

VQL — Velociraptor
-- Hunt for recently created archives in user profiles and temp directories
SELECT FullPath, Size, Mtime, Mode, SID
FROM glob(globs=/*
  C:\Users\*\*.zip,
  C:\Users\*\*.rar,
  C:\Users\*\*.7z,
  C:\Windows\Temp\*.zip,
  C:\Windows\Temp\*.7z
*/)
WHERE Mtime > now() - 7d
  AND Size > 1000000
ORDER BY Mtime DESC

Remediation Script (PowerShell)

Use this script to audit file shares for "Everyone" or "Anonymous" logon permissions, a common misconfiguration that facilitates bulk data theft.

PowerShell
# Audit File Shares for Open Access Permissions
function Get-OpenShares {
    $Shares = Get-SmbShare
    $RiskShares = @()

    foreach ($Share in $Shares) {
        $Path = $Share.Path
        if ($Path) {
            $Acl = Get-Acl -Path $Path
            foreach ($Access in $Acl.Access) {
                # Check for 'Everyone' or 'Anonymous Logon' with Modify or FullControl
                if (($Access.IdentityReference.Value -eq 'Everyone' -or $Access.IdentityReference.Value -eq 'Anonymous Logon') -and
                    ($Access.FileSystemRights -match 'Modify|FullControl')) {
                    $RiskShares += [PSCustomObject]@{
                        ShareName = $Share.Name
                        Path      = $Path
                        Identity  = $Access.IdentityReference.Value
                        Rights    = $Access.FileSystemRights
                    }
                }
            }
        }
    }
    return $RiskShares
}

Get-OpenShares | Format-Table -AutoSize

Remediation

Immediate defensive actions are required to limit the exposure of remaining data:

  1. Compromised Credential Hygiene: Force a password reset for all users with access to PHI databases, specifically targeting administrative accounts. Enforce MFA (FIDO2 hardware keys preferred) immediately for remote access solutions.

  2. Network Segmentation: Verify that systems containing PHI are not flatly connected to the general corporate network. Restrict internet egress from database servers; they should communicate only with application servers.

  3. Audit Logging: Ensure that Detailed File Sharing auditing and Object Access auditing are enabled on all file servers storing patient data. Without these logs, you cannot prove the scope of the breach.

  4. Data Loss Prevention (DLP): Tune DLP rules to alert on any transfer of files containing high counts of SSNs or medical record numbers (MRN) to unauthorized endpoints (e.g., personal Gmail, Dropbox).

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub

healthcare-cybersecurityhipaa-compliancehealthcare-ransomwareehr-securitymedical-data-breachadapthealthphi-exfiltrationhealthcare-breachdata-loss-preventionincident-response

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.