Back to Intelligence

Bradford Health Services Settlement: Mitigating PHI Exfiltration Risks in Healthcare

SA
Security Arsenal Team
June 26, 2026
5 min read

The recent settlement between Bradford Health Services/Partners and plaintiffs regarding a December 2023 cybersecurity incident serves as a stark reminder of the long-tail risks associated with Protected Health Information (PHI) exposure. While the initial intrusion occurred in late 2023, the legal and operational repercussions extend well into 2026. For defenders, this isn't just about compliance; it's about understanding the mechanics of data exfiltration in healthcare environments and implementing controls that detect unauthorized access before it becomes a legal discovery motion.

Introduction

Healthcare entities remain prime targets for cybercriminals due to the high value of PHI on the black market. The Bradford Health incident underscores a critical failure in the defense-in-depth strategy: unauthorized access to sensitive data repositories. Whether the initial vector was phishing, credential stuffing, or exploited vulnerabilities, the result was the same—massive potential exposure of patient data. Defenders must move beyond basic perimeter security and focus on Data Loss Prevention (DLP) and rigorous monitoring of data access behaviors.

Technical Analysis

While the specific CVE exploited in the December 2023 Bradford incident is not disclosed in the settlement reporting, the attack profile aligns with common healthcare threat vectors: Unauthorized Network Access and Data Exfiltration. In these scenarios, attackers often gain a foothold via compromised credentials or legacy services, move laterally to file servers or email databases, and stage data for exfiltration.

  • Affected Assets: Electronic Health Records (EHR) systems, file shares containing patient documents, and email repositories.
  • Attack Chain: Initial Access -> Credential Dumping/Reuse -> Lateral Movement -> Data Staging -> Exfiltration (Web/SMTP).
  • Exploitation Status: The method of exfiltration in these cases typically involves abusing legitimate protocols (e.g., SMB for internal copying, HTTPS for upload) or leveraging built-in administrative tools (e.g., PowerShell mail export) to bypass network egress controls.

Detection & Response

Detecting a breach of this nature requires visibility into abnormal data access patterns and administrative actions. Defenders should focus on mass data retrieval and configuration changes that facilitate data theft.

Sigma Rules

YAML
---
title: Bradford Health Style - Mass Mailbox Export via PowerShell
id: 9c8d7e6a-5b4c-4a3b-8f9e-1a2b3c4d5e6f
status: experimental
description: Detects attempts to export large volumes of mailbox data, a common tactic in PHI exfiltration. Often used by attackers or insiders to steal data from Exchange Online.
references:
  - https://attack.mitre.org/techniques/T1114/
author: Security Arsenal
date: 2026/05/20
tags:
  - attack.collection
  - attack.t1114.003
logsource:
  product: azure
  service: exchange
detection:
  selection:
    Operation|contains:
      - 'New-MailboxExportRequest'
      - 'New-MailboxSearch'
      - 'New-ComplianceSearchAction'
  condition: selection
falsepositives:
  - Legitimate eDiscovery or migration activities by IT staff
level: high
---
title: Bradford Health Style - Creation of Inbox Forwarding Rules
id: 1a2b3c4d-5e6f-4a3b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects the creation of inbox forwarding rules, which can be used to exfiltrate PHI to external accounts controlled by attackers.
references:
  - https://attack.mitre.org/techniques/T1114.003/
author: Security Arsenal
date: 2026/05/20
tags:
  - attack.exfiltration
  - attack.t1114.003
logsource:
  product: azure
  service: exchange
detection:
  selection:
    Operation|contains:
      - 'New-InboxRule'
      - 'Set-InboxRule'
    Parameters|contains:
      - 'ForwardTo'
      - 'RedirectTo'
  condition: selection
falsepositives:
  - Users setting up legitimate email forwarding
level: medium


**KQL (Microsoft Sentinel)**
KQL — Microsoft Sentinel / Defender
// Hunt for massive data transfer or unusual access patterns related to PHI
// Assumes CommonSecurityLog (Firewall/Proxy) or OfficeActivity is ingested
OfficeActivity
| where Operation in ("New-MailboxExportRequest", "Search-Mailbox", "Export-Mailbox")
| extend UserId = UserId, ResultStatus = ResultStatus
| project TimeGenerated, Operation, UserId, ClientIP, ResultStatus, ObjectId
| order by TimeGenerated desc


**Velociraptor VQL**
VQL — Velociraptor
-- Hunt for processes associated with data staging or exfiltration tools
-- Look for common archiving tools or unusual PowerShell activity
SELECT Pid, Name, CommandLine, Exe, Username
FROM pslist()
WHERE Name =~ 'powershell.exe'
   AND CommandLine =~ '(Compress|Archive|Export|Copy-Item|WebRequest)'
   AND CommandLine =~ '(\.csv|\.xls|\.bak|\.zip)'


**Remediation Script (PowerShell)**
PowerShell
# Audit and Remediate: Identify Exchange Mailboxes with External Forwarding
# Run this in Exchange Online PowerShell module

Write-Host "Auditing mailboxes for external forwarding rules..."

$mailboxes = Get-Mailbox -ResultSize Unlimited

foreach ($mbx in $mailboxes) {
    $forwarding = $mbx.ForwardingSmtpAddress
    $rules = Get-InboxRule -Mailbox $mbx.Identity | Where-Object { $_.ForwardTo -ne $null -or $_.RedirectTo -ne $null }
    
    if ($forwarding -or $rules) {
        Write-Host "WARNING: Forwarding detected on mailbox: $($mbx.PrimarySmtpAddress)"
        if ($forwarding) { Write-Host "  - SMTP Forward: $forwarding" }
        if ($rules) { Write-Host "  - Inbox Rules found: $($rules.Count)" }
        
        # Optional: Remediation - Disable forwarding automatically (Uncomment below)
        # Set-Mailbox -Identity $mbx.Identity -ForwardingSmtpAddress $null -DeliverToMailboxAndForward $false
    }
}

Write-Host "Audit complete."

Remediation

To prevent similar incidents and ensure compliance with HIPAA Security Rules:

  1. Disable Internet-Exposed RDP: Ensure no critical systems, especially those containing PHI, are accessible via RDP from the internet. Use VPNs or Zero Trust Network Access (ZTNA) solutions.
  2. Implement Strict DLP: Deploy Data Loss Prevention policies that specifically identify and block the transfer of medical record numbers, SSNs, and diagnosis codes (ICD-10) over unencrypted channels or to unauthorized personal storage services.
  3. MFA Everywhere: Enforce phishing-resistant Multi-Factor Authentication (MFA) for all users, particularly those with access to email admin consoles and EHR databases.
  4. Principle of Least Privilege: Review and revoke unnecessary admin rights. Use Role-Based Access Control (RBAC) to ensure users only access the specific patient records required for their role.
  5. Vendor Risk Management: If the breach involved third-party partners (as suggested by 'Bradford Health Partners'), conduct immediate security assessments of all business associates to verify their encryption and access control standards.

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub

healthcare-cybersecurityhipaa-compliancehealthcare-ransomwareehr-securitymedical-data-breachhealthcarephi-securitydata-breach

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action