Back to Intelligence

Healthcare Data Breaches: Defending Against PHI Exfiltration at Ohio Living and Erlanger

SA
Security Arsenal Team
July 17, 2026
5 min read

Introduction

Recent announcements from Ohio Living, Erlanger Health System, and Heart of America Eye Care confirm a disturbing trend in the healthcare sector: the successful compromise of Protected Health Information (PHI). While specific technical vectors (such as a zero-day CVE) were not immediately disclosed in the initial breach notifications, the impact is clear—threat actors are actively bypassing perimeter defenses to access sensitive patient data.

For defenders, this is not just a compliance exercise; it is an active defense scenario. The exposure of patient names, addresses, medical records, and insurance information fuels downstream fraud and targeted phishing. If your organization utilizes similar EHR (Electronic Health Record) platforms or third-party vendor ecosystems, you must assume similar probes are occurring against your environment right now.

Technical Analysis

Based on the nature of the affected entities—senior living and regional healthcare systems—the attack surface typically involves a mix of legacy on-premise systems and cloud-hosted patient portals.

  • Threat Vector: While no CVE (2025/2026) has been attributed to this specific announcement yet, recent healthcare breaches typically involve the exploitation of valid credentials (phishing) or vulnerabilities in remote access services.
  • Attack Chain: The likely chain involves Initial Access via compromised credentials -> Privilege Escalation (leveraging misassigned admin rights in EHR systems) -> Data Staging (aggregating PHI into archives) -> Exfiltration (via encrypted web traffic or FTP).
  • Impact: Unauthorized access to PHI. The objective is data theft rather than ransomware encryption in these specific instances, requiring a shift in detection logic from "file encryption" to "data access anomalies."

Detection & Response

Without specific IOCs, we must deploy behavioral hunting rules designed to detect the mechanics of data theft. Below are high-fidelity detection mechanisms for active exfiltration and suspicious EHR access.

SIGMA Rules

YAML
---
title: Potential Mass Data Exfiltration via PowerShell
id: 8a4f2c1d-9e3b-4f5a-8b1c-2d3e4f5a6b7c
status: experimental
description: Detects potential data exfiltration activity using PowerShell web requests or compression often used prior to data theft.
references:
  - https://attack.mitre.org/techniques/T1041/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.exfiltration
  - attack.t1567.001
logsource:
  category: process_creation
  product: windows
detection:
  selection_compression:
    Image|endswith: '\powershell.exe'
    CommandLine|contains:
      - 'Compress-Archive'
      - 'Copy-ToZip'
  selection_webreq:
    Image|endswith: '\powershell.exe'
    CommandLine|contains:
      - 'Invoke-WebRequest'
      - 'IEX'
      - 'DownloadString'
  filter_legit:
    ParentImage|endswith:
      - '\explorer.exe'
      - '\management.exe'
  condition: selection_compression or selection_webreq
falsepositives:
  - Legitimate administrative scripts
level: high
---
title: Suspicious Access to Patient Data Directories
id: 9b5g3d2e-0f4c-5a6b-9c2d-3e4f5a6b7c8d
status: experimental
description: Detects processes accessing high volume of files in common EHR or document storage paths, indicative of data staging.
references:
  - https://attack.mitre.org/techniques/T1005/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.collection
  - attack.t1005
logsource:
  category: file_access
  product: windows
detection:
  selection:
    TargetFilename|contains:
      - '\Patients\'
      - '\MedicalRecords\'
      - '\PHI\'
      - '\EHR\'
  filter_legit_apps:
    Image|contains:
      - '\EHRApplication.exe'
      - '\ChartPlus.exe'
  condition: selection and not filter_legit_apps
falsepositives:
  - Known EHR software updates
level: medium

KQL (Microsoft Sentinel / Defender)

This query hunts for anomalous sign-in events followed by heavy data export activities, common in breach investigations involving PHI.

KQL — Microsoft Sentinel / Defender
let HighRiskCountries = dynamic(["CN", "RU", "KP", "IR"]);
let TimeFrame = 1d;
SigninLogs
| where Timestamp > ago(TimeFrame)
| where ResultType == 0
| where ConditionalAccessStatus in ("failure", "notApplied")
| extend Location = tostring(LocationDetails['countryOrRegion'])
| where Location in~ HighRiskCountries or isnull(Location)
| join kind=inner (
    AuditLog
    | where Timestamp > ago(TimeFrame)
    | where Operation in ("MailItemsAccessed", "SearchQueryStarted", "FileDownloaded")
) on AccountObjectId
| summarize Count = count() by AccountName, Location, bin(Timestamp, 1h)
| where Count > 50 // Threshold for bulk access
| project Timestamp, AccountName, Location, Count

Velociraptor VQL

Hunt for recently created archives (ZIP, RAR, 7z) in user profiles, which often indicates data staging for exfiltration.

VQL — Velociraptor
-- Hunt for suspicious archive files created recently in user directories
SELECT FullPath, Size, Mtime, Sys.mode
FROM glob(globs="C:/Users/*/*.zip", root="/")
WHERE Mtime > now() - 24h
  AND Size > 1024 * 1024 -- Greater than 1MB

UNION ALL

SELECT FullPath, Size, Mtime, Sys.mode
FROM glob(globs="C:/Users/*/*.rar", root="/")
WHERE Mtime > now() - 24h
  AND Size > 1024 * 1024

Remediation Script (PowerShell)

Use this script to audit Active Directory for accounts with excessive privileges that could be used to access broad sets of PHI, a common finding in post-breach forensics.

PowerShell
# Audit AD for High Privilege Groups and Last Logon
# Requires ActiveDirectory Module

Import-Module ActiveDirectory

$PrivilegedGroups = @("Domain Admins", "Enterprise Admins", "Schema Admins", "Account Operators", "Backup Operators")

foreach ($Group in $PrivilegedGroups) {
    Write-Host "Auditing Members of: $Group" -ForegroundColor Cyan
    try {
        $Members = Get-ADGroupMember -Identity $Group -Recursive | 
                   Select-Object Name, SamAccountName, @{Name='LastLogon';Expression={(Get-ADUser $_.SamAccountName -Properties LastLogonDate).LastLogonDate}}
        
        if ($Members) {
            $Members | Format-Table -AutoSize
            # Check for stale accounts (unused in 90 days)
            $StaleAccounts = $Members | Where-Object { $_.LastLogon -lt (Get-Date).AddDays(-90) }
            if ($StaleAccounts) {
                Write-Host "[ALERT] Stale accounts found in $Group:" -ForegroundColor Red
                $StaleAccounts | Select-Object Name, LastLogon
            }
        } else {
            Write-Host "No members found." -ForegroundColor Green
        }
    }
    catch {
        Write-Host "Error querying group $Group : $_" -ForegroundColor Red
    }
    Write-Host "----------------------------------------"
}

Remediation

  1. Immediate Credential Reset: Force a password reset for all users with access to EHR systems and sensitive databases, particularly those who exhibit signs of impossible travel or anomalous logons.
  2. Review Access Logs: Conduct a granular review of EHR audit logs for the past 60 days. Look for user accounts accessing patient records outside their usual department or volume norms.
  3. Restrict Privileged Access: Implement Just-In-Time (JIT) access for administrative roles. Ensure "Break Glass" accounts are audited and have MFA enforced.
  4. Egress Filtering: Block outbound traffic to known non-business file-sharing sites (e.g., personal OneDrive, Dropbox, Mega) from clinical workstations and servers.
  5. Vendor Risk Assessment: If the breach is linked to a third-party vendor (common in supply chain attacks), revoke their access immediately until a security review and forced credential rotation is completed.

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub

healthcare-cybersecurityhipaa-compliancehealthcare-ransomwareehr-securitymedical-data-breachhealthcaredata-breachphi-exfiltrationincident-responsehipaa

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.