Back to Intelligence

Healthcare Data Breaches: Analysis of Illinois & Texas Incidents and Defending Against PHI Exfiltration

SA
Security Arsenal Team
April 21, 2026
8 min read

Introduction

The healthcare sector remains the most targeted industry for cybercrime, driven by the high value of Protected Health Information (PHI) on the dark web. Recently, Southern Illinois Dermatology, Saint Anthony Hospital (Chicago), and the North Texas Behavioral Health Authority (NTBHA) disclosed separate data breaches impacting a combined total of over 600,000 individuals.

These incidents are not isolated statistical anomalies; they represent a sustained campaign against healthcare providers. Based on the breach notifications, the vectors involve unauthorized network access and compromised email accounts. For defenders, this reinforces the urgent need to move beyond basic compliance checks and implement aggressive detection logic for data staging and exfiltration. When a threat actor gains access to a healthcare network, the clock starts ticking until they locate and exfiltrate patient data. This post breaks down the likely attack chains and provides the specific detection rules and remediation steps needed to defend against these active threats.

Technical Analysis

While specific CVEs were not disclosed in the initial notifications for these three entities, the attack vectors described align with the most prevalent initial access vectors in the healthcare sector: Social Engineering (Phishing) leading to Business Email Compromise (BEC) and Unauthorized Network Access.

  • Affected Entities:

    • Southern Illinois Dermatology: Reported unauthorized access to their network systems.
    • Saint Anthony Hospital: Reported that an employee email account was compromised.
    • North Texas Behavioral Health Authority: Reported unauthorized access to employee email accounts.

  • Attack Chain (Defender's Perspective):

    1. Initial Access: Phishing campaigns targeting administrative staff or clinicians. Credentials are harvested via credential harvesting sites or malware.
    2. Persistence: Threat actors leverage valid credentials (often without triggering MFA if it is not enforced) to access webmail (OWA/Outlook) or VPN portals.
    3. Discovery: In email compromise scenarios, actors use "Folder Visits" and "Search" activities to locate PHI attachments (medical records, insurance ID scans, lab results). In network intrusions (Southern Illinois Dermatology), actors enumerate file shares looking for \Patients\, \Medical Records\, or databases.
    4. Collection & Staging: Data is aggregated. This may involve compressing files into archives (ZIP, RAR) on the endpoint or utilizing the native email export functionality to forward messages to external accounts.
    5. Exfiltration: Data is transferred out via SMTP forwarding, authorized cloud storage (OneDrive/Google Drive) syncs to personal accounts, or anonymous file transfer services.

  • Exploitation Status: Confirmed active exploitation via credential theft and unauthorized access. No zero-day exploit is required; the vulnerability lies in identity protection and configuration.

Detection & Response

Defending against these breaches requires detecting the behavior of data theft. Standard antivirus will not catch an authorized user exporting emails. We must hunt for mass data access and egress patterns.

SIGMA Rules

YAML
---
title: Potential Mass Email Export via Office 365
id: 8a4b3c2d-1e0f-4a5b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects potential mass export or access of mail items, often indicative of data staging in BEC incidents. Focuses on OfficeActivity logs indicating high volume interaction.
references:
  - https://attack.mitre.org/techniques/T1114/002/
author: Security Arsenal
date: 2025/04/09
tags:
  - attack.collection
  - attack.t1114.002
  - attack.exfiltration
logsource:
  product: o365
  service: exchange
detection:
  selection:
    Operation|contains:
      - 'SearchQueryStarted'
      - 'UpdateInboxRules'
      - 'New-MailboxExportRequest'
    ClientIP|cidr:
      - '0.0.0.0/0' # Filter internal trusted ranges in prod
  condition: selection | count() > 50
  timeframe: 15m
falsepositives:
  - Legitimate mailbox migration activities
  - Bulk user cleanup by admins
level: high
---
title: Suspicious Compression of Sensitive Directories
id: 9d5c4e3f-2f1a-5b6c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects suspicious compression processes (e.g., PowerShell, WinRAR, 7-Zip) creating archives in user profiles or temp folders, common in data staging before exfiltration.
references:
  - https://attack.mitre.org/techniques/T1560/
author: Security Arsenal
date: 2025/04/09
tags:
  - attack.collection
  - attack.t1560.001
logsource:
  category: process_creation
  product: windows
detection:
  selection_img:
    Image|endswith:
      - '\powershell.exe'
      - '\pwsh.exe'
      - '\cmd.exe'
      - '\winrar.exe'
      - '\7z.exe'
  selection_cli:
    CommandLine|contains:
      - 'Compress-Archive'
      - '-a' # 7zip/rar add switch
      - 'a -tzip'
  selection_path:
    CommandLine|contains:
      - 'C:\Users\Public\'
      - 'C:\Temp\'
      - 'C:\ProgramData\'
      - 'AppData\Local\Temp'
  condition: all of selection_*
falsepositives:
  - Legitimate system backups
  - IT support archiving logs
level: high
---
title: Large Volume Egress via Non-Standard Browser
id: 0e1f2a3b-4c5d-6e7f-8a9b-0c1d2e3f4a5b
status: experimental
description: Identifies large data transfers from endpoints to the internet via processes other than major browsers, potentially indicating FTP or custom upload tools used in exfiltration.
references:
  - https://attack.mitre.org/techniques/T1041/
author: Security Arsenal
date: 2025/04/09
tags:
  - attack.exfiltration
  - attack.t1041
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    Initiated: 'true'
    Image|notcontains:
      - '\chrome.exe'
      - '\firefox.exe'
      - '\msedge.exe'
      - '\iexplore.exe'
  filter:
    DestinationPort:
      - 80
      - 443
      - 8080
  condition: selection and not filter | count(DestBytes) > 50000000
  timeframe: 5m
falsepositives:
  - Video conferencing traffic
  - Software updates
level: medium

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for unusual MailItemsAccessed patterns indicative of PHI harvesting
OfficeActivity
| where Operation == "MailItemsAccessed"
| extend Folder = parse_(Folders)[0]
| where Folder contains "Inbox" or Folder contains "Sent" or Folder contains "Archive"
| summarize AccessCount = count(), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserId, ClientIP, Operation
| where AccessCount > 100
| extend IPInfo = split(ClientIP, ':')[0]
| project StartTime, EndTime, UserId, IPInfo, AccessCount
| order by AccessCount desc

// Correlate sign-in anomalies with subsequent data export activities
SigninLogs
| where ResultType == 0
| where RiskLevelDuringSignIn in ("medium", "high")
| project SignInTime = TimeGenerated, UserPrincipalName, IPAddress, DeviceDetail, Location
| join (
    OfficeActivity
    | where Operation in ("Export", "New-MailboxExportRequest", "CreateFolder")
    | project ExportTime = TimeGenerated, UserId, Operation, ClientIP
) on $left.UserPrincipalName == $right.UserId
| where ExportTime between (SignInTime .. SignInTime + 1h)
| project SignInTime, ExportTime, UserPrincipalName, IPAddress, Operation, Location

Velociraptor VQL

VQL — Velociraptor
-- Hunt for recently created archives in user profiles which may contain staged PHI
SELECT FullPath, Size, Mtime, Btime, Mode
FROM glob(globs='C:\Users\*\*.zip', globs='C:\Users\*\*.rar', globs='C:\Users\*\*.7z')
WHERE Mtime > now() - 7d
  AND Size > 1024 * 1024 // Greater than 1MB

-- Hunt for PowerShell processes that may be used for data dumping
SELECT Pid, Name, CommandLine, Exe, StartTime, Username
FROM pslist()
WHERE Name =~ "powershell.exe"
  AND (CommandLine =~ "Compress-Archive" OR CommandLine =~ "Export-Csv" OR CommandLine =~ "Out-File")
  AND StartTime > now() - 1h

Remediation Script (PowerShell)

PowerShell
<#
.SYNOPSIS
    Audit and Remediate Potential PHI Staging Locations.
.DESCRIPTION
    This script scans common user directories for large compressed archives created
    within the last 24 hours and outputs a report for IR review. It also checks for
    suspicious Inbox Rules often used in BEC to hide exfiltration activity.
#>

# Define Timeframe
$Date = (Get-Date).AddDays(-1)
$ReportPath = "C:\Temp\PHI_Staging_Report.txt"

# Scan for suspicious archives
Write-Host "Scanning for recently created archives..."
$SuspiciousFiles = Get-ChildItem -Path "C:\Users\" -Recurse -Include @("*.zip","*.rar","*.7z") -ErrorAction SilentlyContinue | 
    Where-Object { $_.LastWriteTime -gt $Date -and $_.Length -gt 5MB }

if ($SuspiciousFiles) {
    $SuspiciousFiles | Select-Object FullName, LastWriteTime, Length, @{Name='Owner';Expression={(Get-Acl $_.FullName).Owner}} | Out-File $ReportPath
    Write-Host "Suspicious files found. Report generated at $ReportPath"
    # In a real IR scenario, you might quarantine these files:
    # $SuspiciousFiles | Move-Item -Destination "C:\Quarantine\" -Force
} else {
    Write-Host "No suspicious archives found matching criteria."
}

# Check for Suspicious Inbox Rules (requires Exchange Online Module or local Exchange shell access)
# This is a placeholder for the logic to run on a mail server or via API
Write-Host "Checking for suspicious Inbox Rules (API connection required)..."
# Get-InboxRule -Mailbox "affected.user@domain.com" | Where-Object { $_.ForwardTo -ne $null -or $_.RedirectTo -ne $null }

Remediation

Based on the tactics observed in these breaches, immediate remediation should focus on identity hardening and data containment:

  1. Force Password Resets & MFA Enforcement: For all users identified in the investigation (specifically those at Southern Illinois Dermatology, Saint Anthony Hospital, and NTBHA domains), enforce a password reset. Ensure Multi-Factor Authentication (MFA) is enabled for all accounts, especially clinical and administrative staff.

  2. Audit and Remove Forwarding Rules: Threat actors frequently configure inbox rules to automatically forward all incoming mail to an external address. Conduct an organization-wide audit of Exchange Online inbox rules using the Get-InboxRule cmdlet. Remove any rules that forward to external, non-whitelisted domains.

  3. Conditional Access Policies: Implement Azure AD Conditional Access policies to block sign-ins from risky locations or anonymous IP addresses. Restrict access to OWA and Exchange PowerShell to specific managed devices or trusted locations.

  4. Session Hardening: Reduce session timeouts to 15-30 minutes for web applications, particularly email and EHR portals.

  5. Network Segmentation: Verify that EHR systems and databases housing PHI are not directly accessible from the general user VLAN or the internet without strict jump-host access and monitoring.

Official Vendor Resources:

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub

healthcare-cybersecurityhipaa-compliancehealthcare-ransomwareehr-securitymedical-data-breachhealthcare-breachdata-exfiltrationphi-security

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action
Healthcare Data Breaches: Analysis of Illinois & Texas Incidents and Defending Against PHI Exfiltration | Security Arsenal | Security Arsenal