Introduction
AdaptHealth, a major provider of home medical equipment and sleep therapy products, has confirmed a material cybersecurity incident resulting in the theft of patient data. For healthcare defenders, this is a critical signal. The compromise of Protected Health Information (PHI) is not just a regulatory headache under HIPAA; it is often a precursor to targeted phishing campaigns against patients and ransomware follow-on attacks.
The incident highlights a harsh reality in 2026: the healthcare supply chain remains a prime target. When an entity managing sensitive patient histories and financial data is breached, the blast radius extends far beyond the corporate network. Defenders must assume that adversary tools used in this campaign—likely credential harvesting tools or web shell variants—are currently in circulation against similar infrastructure.
Technical Analysis
While specific CVEs were not disclosed in the initial reports, the classification of a "material" incident involving data theft suggests a sophisticated attack chain, likely bypassing perimeter defenses via compromised credentials or a zero-path web vulnerability on patient portals.
- Affected Assets: The breach involves systems storing Personally Identifiable Information (PII) and PHI. In the context of AdaptHealth, this includes databases for sleep therapy compliance, diabetes supply orders, and billing records.
- Attack Vector (Defensive View): Adversaries typically gain initial access through phishing or brute-forcing Remote Desktop Protocol (RDP) / VPN credentials. Once inside, they perform lateral movement to locate file shares or database servers with high concentrations of patient data.
- Exfiltration Mechanism: Data theft of this magnitude rarely happens via HTTPS uploads in small batches. We generally see the use of archiving tools (7-Zip, WinRAR) to compress large volumes of
.pdf,.docx, and.csvfiles before moving them to cloud storage or staging servers for exfiltration. - Exploitation Status: Confirmed active exploitation. The data is confirmed stolen, implying the attackers successfully navigated egress controls.
Detection & Response
Defensive operations must pivot from "prevention" to "detection of post-compromise activity." We need to hunt for the behaviors associated with data staging: mass compression, unusual file access patterns, and unauthorized database exports.
SIGMA Rules
---
title: Potential PHI Mass Archiving Activity
id: 8a4d2e10-5f31-4c9a-9b12-3e4a5f6d7e8c
status: experimental
description: Detects attempts to compress large numbers of files, potentially indicating data staging for exfiltration. Focuses on common archiving tools.
references:
- https://attack.mitre.org/techniques/T1560/
author: Security Arsenal
date: 2026/04/06
tags:
- attack.collection
- attack.t1560.001
logsource:
category: process_creation
product: windows
detection:
selection_tools:
Image|endswith:
- '\7z.exe'
- '\winrar.exe'
- '\zip.exe'
- '\tar.exe'
selection_args:
CommandLine|contains:
- '-a'
- 'compress'
- '-m0'
condition: selection_tools and selection_args
falsepositives:
- Legitimate system backups by IT administrators
level: high
---
title: Suspicious Microsoft Access Database Scripting
id: 9b5e3f21-6a42-5d0b-0c23-4f5b6a7e8f9d
status: experimental
description: Detects execution of Microsoft Office Access with potential scripting flags, often used to export databases or tables rapidly.
references:
- https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2026/04/06
tags:
- attack.execution
- attack.t1059.005
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\msaccess.exe'
CommandLine|contains:
- '/x'
- '/cmd'
- 'Export'
condition: selection
falsepositives:
- Legitimate database administration tasks
level: medium
KQL (Microsoft Sentinel)
This query hunts for processes that are reading a high volume of files in a short timeframe, a common indicator of data theft scripts.
let TimeBin = 1h;
DeviceProcessEvents
| where Timestamp > ago(TimeBin)
| where InitiatingProcessFileName in ('cmd.exe', 'powershell.exe', 'python.exe', 'wscript.exe')
| summarize Count = count() by DeviceName, InitiatingProcessFileName, AccountName, bin(Timestamp, TimeBin)
| where Count > 100
| extend AlertDetail = strcat('High volume of process execution initiated by ', InitiatingProcessFileName, ' on ', DeviceName)
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, Count, AlertDetail
| order by Count desc
Velociraptor VQL
This artifact hunts for compressed archives created in user directories or temp folders where data staging often occurs.
-- Hunt for recently created archives in user profiles and temp directories
SELECT FullPath, Size, Mtime, Mode, SID
FROM glob(globs=/*
C:\Users\*\*.zip,
C:\Users\*\*.rar,
C:\Users\*\*.7z,
C:\Windows\Temp\*.zip,
C:\Windows\Temp\*.7z
*/)
WHERE Mtime > now() - 7d
AND Size > 1000000
ORDER BY Mtime DESC
Remediation Script (PowerShell)
Use this script to audit file shares for "Everyone" or "Anonymous" logon permissions, a common misconfiguration that facilitates bulk data theft.
# Audit File Shares for Open Access Permissions
function Get-OpenShares {
$Shares = Get-SmbShare
$RiskShares = @()
foreach ($Share in $Shares) {
$Path = $Share.Path
if ($Path) {
$Acl = Get-Acl -Path $Path
foreach ($Access in $Acl.Access) {
# Check for 'Everyone' or 'Anonymous Logon' with Modify or FullControl
if (($Access.IdentityReference.Value -eq 'Everyone' -or $Access.IdentityReference.Value -eq 'Anonymous Logon') -and
($Access.FileSystemRights -match 'Modify|FullControl')) {
$RiskShares += [PSCustomObject]@{
ShareName = $Share.Name
Path = $Path
Identity = $Access.IdentityReference.Value
Rights = $Access.FileSystemRights
}
}
}
}
}
return $RiskShares
}
Get-OpenShares | Format-Table -AutoSize
Remediation
Immediate defensive actions are required to limit the exposure of remaining data:
-
Compromised Credential Hygiene: Force a password reset for all users with access to PHI databases, specifically targeting administrative accounts. Enforce MFA (FIDO2 hardware keys preferred) immediately for remote access solutions.
-
Network Segmentation: Verify that systems containing PHI are not flatly connected to the general corporate network. Restrict internet egress from database servers; they should communicate only with application servers.
-
Audit Logging: Ensure that Detailed File Sharing auditing and Object Access auditing are enabled on all file servers storing patient data. Without these logs, you cannot prove the scope of the breach.
-
Data Loss Prevention (DLP): Tune DLP rules to alert on any transfer of files containing high counts of SSNs or medical record numbers (MRN) to unauthorized endpoints (e.g., personal Gmail, Dropbox).
Related Resources
Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.