Back to Intelligence

Calibrated Healthcare Settlement: Mitigating PHI Breach Risks and Liability

SA
Security Arsenal Team
July 7, 2026
5 min read

Calibrated Healthcare Systems, LLC, and Calibrated Healthcare, LLC, have agreed to settle a class action lawsuit following a significant data breach discovered in February. While the specific technical details of the intrusion are often sealed in settlements, the outcome highlights a critical reality for healthcare defenders: the legal and financial repercussions of failing to protect Protected Health Information (PHI) are severe and immediate.

For Security Operations Centers (SOCs) and CISOs, this settlement is a stark reminder that compliance is not a checkbox—it is a baseline for survival. The breach, which exposed sensitive patient data, resulted in a class action suit, forcing the organization to address the failures in their security posture. This post analyzes the defensive implications of such breaches and provides actionable detection logic to identify unauthorized PHI access and exfiltration.

Technical Analysis

Although the specific vulnerability or initial access vector for the Calibrated Healthcare breach was not disclosed in the settlement summary, breaches in the healthcare sector typically follow a predictable path targeting high-value data stores. The threat here is the Unauthorized Access and Exfiltration of PHI.

  • Affected Assets: Electronic Health Records (EHR) systems, databases containing PII/PHI, and file shares storing patient documents.
  • Attack Chain: The attacker typically gains initial access via phishing, credential stuffing, or unpatched services, moves laterally to locate data stores (often searching for terms like "patient," "medical," or "diagnosis"), and stages the data for exfiltration.
  • Impact: Exposure of names, addresses, medical histories, and insurance information leads to regulatory fines (HIPAA), remediation costs, and class action litigation.

Detection & Response

Defending against this type of breach requires visibility into how sensitive data is accessed and moved. We must detect anomalous access patterns to patient data and the staging of files for exfiltration.

SIGMA Rules

The following Sigma rules detect potential mass access or staging of sensitive medical data files and the use of archiving tools often used during exfiltration.

YAML
---
title: Potential Mass Access to Sensitive Medical Files
id: 8a4b2c11-9e6d-4f3a-a7b5-6d7e8f9a0b1c
status: experimental
description: Detects processes accessing a high volume of files with medical/PHI-related extensions or naming patterns in a short time window.
references:
  - https://attack.mitre.org/techniques/T1005/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.collection
  - attack.t1005
logsource:
  category: file_access
  product: windows
detection:
  selection:
    TargetFilename|contains:
      - '\\Patients\\'
      - '\\Medical\\'
      - '\\PHI\\'
    TargetFilename|endswith:
      - '.pdf'
      - '.docx'
      - '.xlsx'
      - '.emr'
      - '.dcm'
  condition: selection | count(TargetFilename) > 20
timeframe: 5m
falsepositives:
  - Legitimate batch processing by EHR systems
  - Backup operations
level: high
---
title: Data Staging via Compression Tools
id: 9c5d3e22-0f7e-5g4b-b8c6-7e8f0a1b2c3d
status: experimental
description: Detects the use of common compression tools (WinRAR, 7-Zip) in user directories, often indicating data staging for exfiltration.
references:
  - https://attack.mitre.org/techniques/T1560/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.collection
  - attack.t1560.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\\winrar.exe'
      - '\\7z.exe'
      - '\\zip.exe'
    CommandLine|contains:
      - ' -a '
      - ' -tzip'
      - ' -m0'
  filter:
    CurrentDirectory|contains:
      - 'C:\\Program Files'
      - 'C:\\Windows'
falsepositives:
  - Users compressing their own legitimate files
  - Software updates
level: medium

KQL (Microsoft Sentinel / Defender)

This KQL query hunts for unusual volume of data egress or access to sensitive file paths, which could indicate an active breach similar to the one suffered by Calibrated Healthcare.

KQL — Microsoft Sentinel / Defender
let MedicalExtensions = dynamic(['.pdf', '.docx', '.emr', '.dcm', '.mds', '. DICOM']);
let SensitivePaths = dynamic(['\\Patients\\', '\\MedicalRecords\\', '\\PHI\\']);
DeviceFileEvents
| where Timestamp > ago(1d)
| where FileName has_any(SensitivePaths) or FolderPath has_any(SensitivePaths)
| where FileType in~ (MedicalExtensions)
| summarize count() by DeviceName, InitiatingProcessAccountName, bin(Timestamp, 10m)
| where count_ > 15
| project DeviceName, InitiatingProcessAccountName, Timestamp, EventCount = count_
| order by EventCount desc

Velociraptor VQL

Use this VQL artifact to hunt for the presence of suspicious compressed archives (ZIP/RAR) in user profile directories, a common indicator of data staging.

VQL — Velociraptor
-- Hunt for compressed archives in user directories (potential data staging)
SELECT FullPath, Size, Mtime, Mode
FROM glob(globs="/*Users/*/*.zip")
WHERE Size > 1024 * 1024
   AND Mtime > now() - 7d
UNION ALL
SELECT FullPath, Size, Mtime, Mode
FROM glob(globs="/*Users/*/*.rar")
WHERE Size > 1024 * 1024
   AND Mtime > now() - 7d

Remediation Script (PowerShell)

This PowerShell script assists in the immediate remediation phase by auditing Access Control Lists (ACLs) on common PHI storage paths to ensure they are not overly permissive (e.g., "Everyone" or "Authenticated Users").

PowerShell
# Audit ACLs on potential PHI directories
$pathsToAudit = @("C:\PHI", "C:\Patients", "C:\MedicalRecords", "D:\EHR_Backup")

foreach ($path in $pathsToAudit) {
    if (Test-Path $path) {
        Write-Host "Auditing ACLs for: $path" -ForegroundColor Cyan
        $acls = Get-Acl -Path $path
        foreach ($access in $acls.Access) {
            # Flag broad access rights
            if ($access.IdentityReference.Value -match "Everyone|Authenticated Users|BUILTIN\Users" -and 
                $access.FileSystemRights -match "Write|Modify|FullControl") {
                Write-Host "[WARNING] Overly permissive access found:" -ForegroundColor Red
                Write-Host "  User: $($access.IdentityReference.Value)"
                Write-Host "  Rights: $($access.FileSystemRights)"
            }
        }
    } else {
        Write-Host "Path not found: $path" -ForegroundColor Yellow
    }
}
Write-Host "Audit Complete." -ForegroundColor Green

Remediation

To prevent settlements and breaches like those experienced by Calibrated Healthcare, organizations must enforce the following controls immediately:

  1. Implement Strict Access Controls: Ensure that access to PHI is restricted based on the "Minimum Necessary" standard. Remove broad groups like "Domain Users" or "Everyone" from file shares containing patient data.
  2. Deploy Data Loss Prevention (DLP): Configure DLP policies to detect and block the transmission of sensitive data types (e.g., credit card numbers, medical record numbers) outside the corporate network.
  3. Enable Comprehensive Auditing: Ensure that all access to EHR systems and PHI repositories is logged. Monitor these logs daily for anomalies using the detection logic provided above.
  4. Endpoint Detection and Response (EDR): Deploy EDR solutions across all endpoints to detect unusual process execution (e.g., unauthorized PowerShell, compression tools) associated with data exfiltration.
  5. Employee Training: Conduct regular security awareness training focused on identifying phishing attempts, the primary vector for credential theft leading to PHI breaches.

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub

healthcare-cybersecurityhipaa-compliancehealthcare-ransomwareehr-securitymedical-data-breachhipaadata-breachphi-protectionhealthcare-securityincident-response

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.