Back to Intelligence

Florida Retina Center Data Breach: Defending Against Unauthorized Access to PHI

SA
Security Arsenal Team
June 24, 2026
6 min read

Introduction

In a stark reminder of the persistent threats facing the healthcare sector, Florida Retina Center recently announced that it had identified unauthorized access to systems containing the protected health information (PHI) of over 13,600 patients. This incident, alongside the concurrent disclosure by Acadia Healthcare Company, underscores the reality that threat actors are aggressively targeting clinical environments to exfiltrate sensitive patient data.

For defenders, this is not just a headline; it is a tactical indicator. When "unauthorized access" is confirmed in a healthcare setting, it often implies a failure of access controls, credential compromise, or a lack of visibility into lateral movement. This post dissects the mechanics of such breaches and provides the defensive playbooks required to detect and contain unauthorized access to patient data systems.

Technical Analysis

Affected Entities: Florida Retina Center, Acadia Healthcare Company.

At Risk: Systems storing PHI. In the context of a Retina Center, this typically includes Electronic Health Records (EHR), Picture Archiving and Communication Systems (PACS) hosting ocular imaging, and administrative databases storing Personally Identifiable Information (PII).

The Threat Vector: While the specific vulnerability or initial access vector has not been publicly disclosed in this specific alert, "unauthorized access" generally entails one of two technical scenarios:

  1. Credential Theft: Valid credentials are obtained via phishing or infostealers, allowing an adversary to authenticate as a legitimate user (often a clinician or admin).
  2. Exploitation of Exposed Services: Vulnerabilities in remote access services (VPN, RDP) or web-facing interfaces allow bypass of authentication.

Exploitation Status: Confirmed unauthorized access leading to data exposure. The breach is not theoretical; data has been accessed, necessitating a presumption of exfiltration until forensic analysis proves otherwise.

Defensive Gap: The primary failure in these incidents is often the lack of granular monitoring around who is accessing what data, and when. Anomalous access patterns—such as a user account accessing thousands of patient records in a short window or logging in from unusual geolocations—are the primary behavioral indicators that defenders must hunt for.

Detection & Response

The following detection rules are designed to identify the behaviors typically associated with unauthorized access and subsequent data staging or exfiltration in a Windows environment common in healthcare.

SIGMA Rules

YAML
---
title: Potential Mass Data Access or Staging via Archive Tools
id: 8a2f1c92-9e4b-4d67-bc12-3e5a8f901234
status: experimental
description: Detects processes often used for data staging or archiving (e.g., 7-Zip, WinRAR) interacting with directories likely containing patient data or PHI.
references:
 - https://attack.mitre.org/techniques/T1560/
author: Security Arsenal
date: 2026/04/06
tags:
 - attack.collection
 - attack.t1560.001
logsource:
 category: process_creation
 product: windows
detection:
 selection:
   Image|endswith:
     - '\7z.exe'
     - '\winrar.exe'
     - '\tar.exe'
   CommandLine|contains:
     - 'a '  
     - '-compress'
     - '-c'
 condition: selection
falsepositives:
 - Legitimate backup operations by IT staff
level: high
---
title: Suspicious Remote Access Tool Execution
id: 9b3f1c82-9e4b-4d67-bc12-3e5a8f901235
status: experimental
description: Detects execution of common remote management tools (e.g., AnyDesk, TeamViewer, Splashtop) which are frequently used by adversaries for persistence and unauthorized access.
references:
 - https://attack.mitre.org/techniques/T1219/
author: Security Arsenal
date: 2026/04/06
tags:
 - attack.command_and_control
 - attack.t1219
logsource:
 category: process_creation
 product: windows
detection:
 selection:
   Image|contains:
     - '\anydesk.exe'
     - '\teamviewer.exe'
     - '\splashtop.exe'
     - '\supremo.exe'
 condition: selection
falsepositives:
 - Authorized remote support sessions
level: medium
---
title: Unusual Access to Sensitive User Profile Directories
id: 0c4f1c82-9e4b-4d67-bc12-3e5a8f901236
status: experimental
description: Detects processes accessing sensitive user profile directories (Documents, Desktop) which may contain PHI exports or sensitive files, triggered by non-standard applications.
references:
 - https://attack.mitre.org/techniques/T1005/
author: Security Arsenal
date: 2026/04/06
tags:
 - attack.collection
 - attack.t1005
logsource:
 category: process_creation
 product: windows
detection:
 selection:
   CommandLine|contains:
     - '\Documents\'
     - '\Desktop\'
   Image|notcontains:
     - '\explorer.exe'
     - '\Microsoft.Office.\'
     - '\chrome.exe'
     - '\edge.exe'
 condition: selection
falsepositives:
 - User opening files with custom viewers
level: low

KQL (Microsoft Sentinel / Defender)

This hunt query identifies successful logons where the user is not a machine account, targeting high-value workstations or servers, and originating from an IP address that has not been seen recently in the environment (a common indicator of unauthorized credential use).

KQL — Microsoft Sentinel / Defender
let HighValueAssets = DeviceProcessEvents
| where DeviceName has "Server" or DeviceName has "EHR" or DeviceName has "PACS"
| distinct DeviceName;
SigninLogs
| where ResultType == 0
| where isnotnull(IPAddress)
| where UserType in ("Member", "Guest")
| where DeviceDetail in (HighValueAssets) or AppDisplayName in ("Microsoft Office 365", "Electronic Health Record")
| join kind=anti (
    SigninLogs
    | where ResultType == 0
    | where Timestamp > ago(30d)
    | distinct IPAddress
) on IPAddress
| project Timestamp, UserPrincipalName, IPAddress, AppDisplayName, Location, DeviceDetail
| order by Timestamp desc

Velociraptor VQL

This artifact hunts for active network connections established by processes that are not typically network-facing, potentially indicating C2 or data exfiltration activity.

VQL — Velociraptor
-- Hunt for unusual network connections from non-browser processes
SELECT Pid, Name, CommandLine, RemoteAddress, RemotePort, State
FROM netstat()
WHERE State =~ 'ESTABLISHED'
  AND Name NOT IN ('chrome.exe', 'msedge.exe', 'firefox.exe', 'svchost.exe', 'lsass.exe', 'system')
  AND RemoteAddress NOT IN ('127.0.0.1', '::1', '0.0.0.0')
  AND RemotePort NOT IN (80, 443, 123)

Remediation Script (PowerShell)

This script aids in the immediate response by auditing the local administrators group for unexpected or dormant accounts—a common persistence mechanism used in unauthorized access scenarios.

PowerShell
# Audit Local Administrators for Unauthorized Access
function Invoke-AdminAudit {
    $AdminGroup = Get-LocalGroupMember -Group "Administrators" -ErrorAction SilentlyContinue
    $SuspiciousAccounts = @()

    foreach ($Member in $AdminGroup) {
        # Check for non-standard accounts (e.g., not Administrator, Domain Admins)
        if ($Member.Name -notmatch "Administrator" -and $Member.Name -notmatch "Domain Admins") {
            $AccountInfo = Get-LocalUser -Name $Member.SID.Value -ErrorAction SilentlyContinue
            
            if ($AccountInfo) {
                # Flag if enabled and not recently logged in (potential dormant backdoor)
                if ($AccountInfo.Enabled -eq $true -and $AccountInfo.LastLogon -lt (Get-Date).AddDays(-90)) {
                    $SuspiciousAccounts += [PSCustomObject]@{
                        AccountName = $Member.Name
                        SID = $Member.SID.Value
                        LastLogon = $AccountInfo.LastLogon
                        Status = "Enabled / Dormant"
                    }
                }
            }
        }
    }

    if ($SuspiciousAccounts.Count -gt 0) {
        Write-Host "[ALERT] Suspicious or dormant administrator accounts found:" -ForegroundColor Red
        $SuspiciousAccounts | Format-Table -AutoSize
    } else {
        Write-Host "[INFO] No suspicious dormant administrator accounts detected." -ForegroundColor Green
    }
}

Invoke-AdminAudit

Remediation

In response to the "unauthorized access" reported by Florida Retina Center, healthcare entities must execute the following defensive measures immediately:

  1. Credential Reset: Force a password reset for all users with access to the affected systems, particularly those with privileged access. Enforce MFA (Multi-Factor Authentication) if not already active.

  2. Access Control Review (Least Privilege): Audit and restrict user permissions. Ensure that users only have access to the specific patient records necessary for their role (Role-Based Access Control).

  3. Network Segmentation: Verify that systems containing PHI are isolated from the general network and IoT devices. Segment PACS and EHR servers to prevent lateral movement.

  4. Log Retention and Analysis: Enable detailed logging for file access, logon events, and privilege changes on all PHI-containing systems. Forward these logs to a SIEM for continuous monitoring.

  5. Endpoint Detection and Response (EDR): Ensure EDR sensors are deployed and functioning correctly on all servers and workstations handling patient data to detect anomalous process execution.

  6. Vendor and Third-Party Risk: If the breach involved third-party access (e.g., IT vendors), immediately revoke their access until a security review is conducted.

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub

healthcare-cybersecurityhipaa-compliancehealthcare-ransomwareehr-securitymedical-data-breachhealthcaredata-breachphi

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action