Introduction
The recent announcements of data breaches by ERMI (Georgia), McLeod Physician Associates (South Carolina), and the Centers for Dialysis Care constitute a significant wave of cyber incidents impacting the Healthcare and Public Health (HPH) sector. While specific technical vectors are often withheld in early disclosures, the convergence of these events suggests a systemic targeting of Protected Health Information (PHI) and Personally Identifiable Information (PII). For defenders, this is not merely a headline; it is an immediate call to audit ingress paths, validate egress controls, and hunt for indicators of unauthorized access within Electronic Health Record (EHR) systems and associated medical device networks.
Technical Analysis
Based on the current threat landscape targeting healthcare entities in 2026, these breaches likely involve the following attack progression:
- Affected Assets: The targeted entities operate diverse environments, including medical equipment supply chains (ERMI), large physician practice networks (McLeod), and critical care infrastructure (Centers for Dialysis Care). This implies a mix of IT networks and potential Internet of Medical Things (IoMT) exposure.
- Attack Vector: While no specific CVE is listed in the source disclosures, breaches of this nature in 2026 frequently originate from:
- Phishing/Vishing: Initial access via credential harvesting.
- Third-Party Supply Chain Compromise: Given ERMI's role in equipment, supply chain upstream exploitation is a high probability.
- Remote Services Abuse: Exploitation of unpatched VPNs or RDP services.
- Impact: The primary objective is data theft (exfiltration) rather than operational disruption (ransomware), though the two often overlap. Adversaries gain access to file shares containing patient records, insurance data, and medical histories.
Detection & Response
Given the lack of a specific CVE, we must deploy behavioral detection logic to identify the tactics, techniques, and procedures (TTPs) associated with data staging and exfiltration common in these breaches.
SIGMA Rules
---
title: Potential Data Staging via Archiving Tools
id: 8a2b3c4d-1e9f-4a5b-8c3d-2e9f4a5b6c7d
status: experimental
description: Detects the use of archiving tools like 7-Zip or WinRAR on file servers, which often precedes data exfiltration in healthcare breaches.
references:
- https://attack.mitre.org/techniques/T1560/
author: Security Arsenal
date: 2026/05/12
tags:
- attack.collection
- attack.t1560.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\7z.exe'
- '\winrar.exe'
- '\zip.exe'
CommandLine|contains:
- '-a'
- 'compress'
- 'archive'
filter:
ParentImage|contains:
- '\Program Files\'
- '\Windows\System32\'
condition: selection and not filter
falsepositives:
- Legitimate administrative backups
level: high
---
title: Suspicious Inbound RDP from Public IP
id: 9b3c4d5e-2f0a-5b6c-9d4e-3f0a5b6c7d8e
status: experimental
description: Detects incoming RDP connections from external public IP addresses, a common vector for initial access in healthcare targeted attacks.
references:
- https://attack.mitre.org/techniques/T1021.001/
author: Security Arsenal
date: 2026/05/12
tags:
- attack.initial_access
- attack.t1021.001
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationPort: 3389
Initiated: 'true'
filter:
SourceIp|startswith:
- '10.'
- '192.168.'
- '172.16.'
- '127.'
- '::1'
condition: selection and not filter
falsepositives:
- Legitimate remote administration by approved staff
level: medium
---
title: Mass File Access via PowerShell
id: 0c4d5e6f-3g1b-6c7d-0e5f-4g1b6c7d8e9f
status: experimental
description: Detects PowerShell scripts attempting to access or enumerate a large number of files, indicative of data discovery/thecf.
references:
- https://attack.mitre.org/techniques/T1083/
author: Security Arsenal
date: 2026/05/12
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\powershell.exe'
CommandLine|contains:
- 'Get-ChildItem'
- 'Get-Item'
- 'ls '
condition: selection
falsepositives:
- System administration scripts
level: low
KQL (Microsoft Sentinel / Defender)
// Hunt for unusual volume of data transfer or potential exfiltration activity
// Combines process creation with network events
let TimeFrame = 1h;
let ProcessThreshold = 50;
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where InitiatingProcessFileName in~ ('powershell.exe', 'cmd.exe', 'winrar.exe', '7z.exe')
| summarize count() by DeviceName, InitiatingProcessFileName, InitiatingProcessAccountName, bin(Timestamp, 5m)
| where count_ > ProcessThreshold
| join kind=inner (
DeviceNetworkEvents
| where Timestamp > ago(TimeFrame)
| where ActionType in ('ConnectionSuccess', 'InboundConnectionAccepted')
| summarize RemoteIPCount = dcount(RemoteIP), RemoteIPs = make_set(RemoteIP) by DeviceName, bin(Timestamp, 5m)
) on DeviceName, Timestamp
| project DeviceName, Timestamp, InitiatingProcessFileName, Account = InitiatingProcessAccountName, ProcessCount = count_, RemoteIPCount, RemoteIPs
| order by Timestamp desc
Velociraptor VQL
-- Hunt for processes with high handle counts or open file handles
-- indicative of data scraping or mass encryption/exfiltration prep
SELECT Pid, Name, CommandLine, Username, Handles, CreateTime
FROM pslist()
WHERE Handles > 500
OR Name =~ 'powershell'
OR Name =~ 'cmd'
ORDER BY Handles DESC
LIMIT 50
Remediation Script (PowerShell)
# Script to Audit RDP Access and Recent User Group Modifications
# Run as Administrator
Write-Host "[+] Auditing RDP Configuration..."
$rdpProperty = Get-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name 'fDenyTSConnections' -ErrorAction SilentlyContinue
if ($rdpProperty.fDenyTSConnections -eq 0) {
Write-Host "[!] WARNING: RDP is ENABLED. Ensure network level restrictions (NACLs/Firewalls) are active." -ForegroundColor Yellow
} else {
Write-Host "[+] RDP is disabled at host level." -ForegroundColor Green
}
Write-Host "[+] Checking for recent group membership changes (Past 7 Days)..."
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4728,4732,4756; StartTime=(Get-Date).AddDays(-7)} -ErrorAction SilentlyContinue
if ($Events) {
$Events | Select-Object TimeCreated, Id, Message | Format-Table -AutoSize
} else {
Write-Host "[+] No recent group modification events found."
}
Write-Host "[+] Identifying accounts with 'Password Never Expires' set..."
Get-ADUser -Filter {PasswordNeverExpires -eq $true -and Enabled -eq $true} | Select-Object Name, SamAccountName, DistinguishedName
Remediation
In response to these specific breach announcements, healthcare organizations should immediately execute the following defensive roadmap:
- Audit Third-Party Access: Given ERMI's medical equipment profile, review all external vendor access (VPN, Citrix, TeamViewer). Enforce Zero Trust Network Access (ZTNA) principles.
- Log Review for EHR Access: Correlate login logs for EHR applications (e.g., Epic, Cerner) against the timelines of the reported breaches. Look for anomalous access hours or mass record querying.
- Network Segmentation: Ensure IoMT devices (dialysis machines, monitoring equipment) are on isolated VLANs, separate from the general IT network where PHI is stored.
- Credential Hygiene: Force a password reset for all accounts with access to file servers containing PHI, specifically targeting administrative and billing departments.
- Egress Filtering: Configure firewalls to block outbound traffic on non-standard ports (e.g., blocking SMTP except from mail servers) and inspect SSL/TLS traffic for large data transfers.
Related Resources
Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.