Back to Intelligence

Healthcare Data Breaches: PHI Exfil Detection & Response for Western Orthopaedics, CHS, and Tri-Cities

SA
Security Arsenal Team
May 7, 2026
5 min read

Recent announcements from Western Orthopaedics (Colorado), Community Health Systems (California), and Tri-Cities Gastroenterology (Tennessee) have confirmed unauthorized access to sensitive healthcare data. While the specific vectors for each incident are under investigation, the pattern of targeting healthcare providers for Protected Health Information (PHI) is accelerating. For defenders, this is not a drill. The exfiltration of patient records leads to regulatory fines under HIPAA, but more critically, it paves the way for targeted phishing campaigns and medical identity theft against the victims.

The urgency for SOC teams is to pivot from passive monitoring to active hunting for post-exploitation behaviors—specifically data staging and exfiltration—within Electronic Health Record (EHR) environments.

Technical Analysis

Based on the preliminary details from these incidents, we are observing standard TTPs (Tactics, Techniques, and Procedures) associated with financially motivated threat actors targeting the healthcare sector.

  • Affected Platforms: Windows Server environments (likely hosting EHR/EMR solutions such as Epic, Cerner, or Meditech), email systems (Microsoft 365/Exchange), and file shares housing diagnostic imaging or patient documents.
  • Attack Chain:
    1. Initial Access: Likely via phishing, credential stuffing, or exploitation of unpatched external-facing services (e.g., VPN, RDP).
    2. Persistence: Creation of new accounts or scheduled tasks to maintain access.
    3. Lateral Movement: Usage of SMB/WinRM to move from the initial compromise point to database servers or file repositories.
    4. Collection: Usage of legitimate archiving tools (7-Zip, WinRAR) or native utilities (PowerShell) to stage large volumes of PHI.
    5. Exfiltration: Data uploaded to cloud storage (Mega, Dropbox) or transferred via encrypted channels (HTTPS/C2) to actor-controlled infrastructure.
  • Exploitation Status: These are confirmed active breaches involving data disclosure. While a specific zero-day CVE has not been publicly attributed to these announcements yet, the "human vulnerability" and potential abuse of valid credentials are the primary threats.

Detection & Response

The following detection mechanisms are designed to identify the "smoking gun" behaviors of data theft. In healthcare breaches, the volume of data accessed is often the differentiator between a simple failed login and a massive breach.

SIGMA Rules

YAML
---
title: Potential Data Staging via Archiving Tools
id: 8a5c2b14-1d3f-4e7a-9c12-3b4a5d6e7f8a
status: experimental
description: Detects the usage of common archiving tools (7-Zip, WinRAR) often used to compress and stage PHI data before exfiltration. High volume usage in user directories is suspicious.
references:
  - https://attack.mitre.org/techniques/T1560/
author: Security Arsenal
date: 2026/05/01
tags:
  - attack.collection
  - attack.t1560.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\7z.exe'
      - '\winrar.exe'
      - '\peazip.exe'
    CommandLine|contains:
      - 'a'
      - '-tzip'
      - '-m0'
  condition: selection
falsepositives:
  - Legitimate administrative backups
level: high
---
title: Suspicious PowerShell Data Compression
id: 9b6d3c25-2e4g-5f8b-0d23-4c5d6e7f8g9h
status: experimental
description: Detects PowerShell commands utilizing Compress-Archive or similar functions to bundle data, often used for stealthy exfiltration.
references:
  - https://attack.mitre.org/techniques/T1059/001/
author: Security Arsenal
date: 2026/05/01
tags:
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\powershell.exe'
      - '\pwsh.exe'
    CommandLine|contains:
      - 'Compress-Archive'
      - 'System.IO.Compression.ZipFile'
  condition: selection
falsepositives:
  - System administrative scripts
level: medium

KQL (Microsoft Sentinel / Defender)

This query hunts for processes creating archives or manipulating large numbers of files in a short time, indicative of data staging.

KQL — Microsoft Sentinel / Defender
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("7z.exe", "winrar.exe", "zip.exe") or ProcessCommandLine contains "Compress-Archive"
| extend ProcessDetail = strcat(ProcessCommandLine, " [User: ", InitiatingProcessAccountName, "]")
| summarize Count = count(), TimestampList = make_list(Timestamp) by DeviceName, FileName, ProcessDetail
| where Count > 5
| order by Count desc

Velociraptor VQL

Hunt for recently created archive files in user directories or shared drives that might contain PHI.

VQL — Velociraptor
-- Hunt for recently created archives in user profiles
SELECT FullPath, Size, Mtime, Mode
FROM glob(globs=""/Users/*/*.zip"" OR globs=""/Users/*/*.rar"" OR globs=""/Users/*/*.7z"")
WHERE Mtime > now() - 7d
  AND Size > 1000000
-- Filter for archives larger than 1MB created in the last week

Remediation Script (PowerShell)

Use this script to audit local administrator group memberships and identify potential persistence mechanisms on endpoint servers implicated in the breach scope.

PowerShell
# Audit Local Admins and Scheduled Tasks for Persistence
Write-Host "Auditing Local Administrators..."
Get-LocalGroupMember -Group "Administrators" | Format-Table Name, SID, PrincipalSource -AutoSize

Write-Host "Checking for non-Microsoft scheduled tasks..."
Get-ScheduledTask | Where-Object {$_.TaskPath -ne "\Microsoft\"} | 
    Select-Object TaskName, TaskPath, State, LastRunTime | Format-Table -AutoSize

Write-Host "Identifying recent large file modifications (Potential Staging)..."
Get-ChildItem -Path C:\ -Recurse -Include *.zip,*.rar,*.7z -ErrorAction SilentlyContinue | 
    Where-Object {$_.LastWriteTime -gt (Get-Date).AddDays(-3)} | 
    Select-Object FullName, Length, LastWriteTime | Sort-Object Length -Descending | Select-Object -First 10

Remediation

Given the confirmed breaches at these providers, immediate containment is the priority.

  1. Reset Credentials: Force password resets for all accounts with access to EHR systems, particularly focusing on service accounts and privileged users. Revoke all active sessions immediately.
  2. Review Access Logs: Conduct a granular review of EHR audit logs (Epic/Cerner/etc.) focusing on "abnormal" access patterns (e.g., users accessing records outside their department, bulk patient queries).
  3. Isolate Affected Systems: If a specific server (e.g., a file server for Tri-Cities Gastroenterology) is identified as the source, isolate it from the network but do not power it off to preserve volatile memory for forensic acquisition.
  4. Vendor Risk Assessment: Since Western Orthopaedics and others may rely on third-party vendors, review third-party access logs and terminate vendor VPN sessions until a security review is conducted.
  5. Patch Management: Ensure all VPN gateways, RDP services, and EHR web interfaces are patched against the latest known vulnerabilities (e.g., Citrix ADC, FortiOS, Palo Alto CVEs) if applicable to your environment.

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub

healthcare-cybersecurityhipaa-compliancehealthcare-ransomwareehr-securitymedical-data-breachphi-exfilhealthcare-breachincident-response

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action