Back to Intelligence

Henderson & Walton Settlement: Defending Against Healthcare PHI Data Breaches

SA
Security Arsenal Team
June 8, 2026
6 min read

The recent class action settlement involving Henderson & Walton Women’s Center serves as a stark reminder of the financial and reputational risks associated with Protected Health Information (PHI) breaches. While the specific technical vector of this breach was not disclosed in the settlement summary, the outcome—unauthorized access to sensitive patient data—highlights a critical failure in defensive visibility. For Security Operations Center (SOC) analysts and defenders in the healthcare sector, the lesson is clear: we must shift from reactive compliance to proactive detection of data staging and exfiltration activities.

Introduction

Healthcare entities remain prime targets for cybercriminals due to the high value of PHI on the dark web. The Henderson & Walton settlement underscores that legal repercussions are the inevitable result of failing to safeguard patient records. Defenders need to act now to ensure their environments are not just compliant, but resilient against active theft of data. In 2026, attackers are increasingly bypassing perimeter defenses and focusing on credential theft and internal data staging. If you are not monitoring for mass data aggregation and archiving, you are flying blind.

Technical Analysis

While this specific news item did not cite a specific CVE (e.g., a 2025/2026 vulnerability in a specific EHR product), the "data breach" classification implies a successful chain of: Initial Access (likely phishing or credential stuffing) -> Persistence -> Lateral Movement -> Collection (Data Staging) -> Exfiltration.

Affected Scope: Healthcare providers managing Electronic Health Records (EHR) and imaging systems (PACS).

Threat Vector: Unauthorized disclosure of PHI. In 2026, we observe that adversaries often utilize legitimate administrative tools to "stage" data before exfiltration. They compress databases or patient folders into archives (e.g., RAR, 7z, ZIP) to evade network DLP controls that might trigger on raw text or DICOM files.

Exploitation Status: The breach at Henderson & Walton is confirmed, resulting in legal settlement. This indicates a failure in detecting the "Collection" phase of the attack chain.

Detection & Response

Since the specific malware or exploit wasn't disclosed, we focus on the universal indicators of data theft: mass data compression and suspicious command-line archiving. Detecting the intent to steal data is often more reliable than catching the initial access in large, decentralized healthcare IT environments.

We have developed the following detection rules to identify adversaries attempting to package patient data for exfiltration.

YAML
---
title: Potential Data Staging via WinRAR Command Line
id: 8a2b4c1d-9e3f-4a5b-8c6d-7e8f9a0b1c2d
status: experimental
description: Detects the use of WinRAR (rar.exe) with command-line switches indicative of data archiving and potential staging for exfiltration. Adversaries often use compression to hide data volume and bypass DLP.
references:
  - https://attack.mitre.org/techniques/T1560/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.collection
  - attack.t1560.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\rar.exe'
      - '\winrar.exe'
    CommandLine|contains:
      - 'a -' # Add to archive
      - '-hp' # Encrypt with password
  condition: selection
falsepositives:
  - Legitimate administrative backups (rare on user workstations)
level: high
---
title: Potential Data Staging via 7-Zip with Encryption
id: 1b2c3d4e-5f6a-7b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects the use of 7-Zip (7z.exe) creating archives with passwords, a common method used by threat actors to package stolen PHI.
references:
  - https://attack.mitre.org/techniques/T1560/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.collection
  - attack.t1560.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\7z.exe'
    CommandLine|contains:
      - 'a ' # Add command
      - '-p' # Password parameter
  condition: selection
falsepositives:
  - Known backup scripts
level: high
---
title: Suspicious PowerShell Invoke-WebRequest for Data Exfiltration
id: 2c3d4e5f-6a7b-8c9d-0e1f-2a3b4c5d6e7f
status: experimental
description: Detects PowerShell scripts attempting to upload data to external endpoints using Invoke-WebRequest or WebClient, common for exfiltrating smaller datasets or credentials.
references:
  - https://attack.mitre.org/techniques/T1048/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.exfiltration
  - attack.t1048
logsource:
  category: process_creation
  product: windows
detection:
  selection_script:
    Image|endswith:
      - '\powershell.exe'
      - '\pwsh.exe'
  selection_cmdlet:
    CommandLine|contains:
      - 'Invoke-WebRequest'
      - 'IWR'
      - 'WebClient'
  selection_params:
    CommandLine|contains:
      - '-Method POST'
      - '-Body'
  condition: all of selection_*
falsepositives:
  - Legitimate update scripts or system management tools
level: medium


**KQL (Microsoft Sentinel / Defender)**

Hunt for suspicious archiving activity and large outbound transfer volumes indicative of a breach.

KQL — Microsoft Sentinel / Defender
// Hunt for suspicious archiving processes (WinRAR, 7-Zip) on servers or workstations
DeviceProcessEvents
| where Timestamp > ago(1d)
| where FileName in~ ("rar.exe", "winrar.exe", "7z.exe", "zip.exe")
| where ProcessCommandLine contains_any ("a ", "-m", "-hp", "-p")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| extend Timestamp
| order by Timestamp desc


// Hunt for high volume outbound network connections (Potential Exfiltration)
DeviceNetworkEvents
| where Timestamp > ago(12h)
| where RemotePort in (443, 80) or RemotePort >= 8000
| where ActionType == "ConnectionSuccess"
| summarize TotalBytesSent = sum(SentBytes), Count = count() by DeviceName, RemoteUrl, RemoteIP
| where TotalBytesSent > 50000000 // Greater than 50MB sent to single destination
| project DeviceName, RemoteUrl, RemoteIP, TotalBytesSent, Count
| order by TotalBytesSent desc


**Velociraptor VQL**

Hunt endpoint filesystem for recently created archives that may contain staged patient data.

VQL — Velociraptor
-- Hunt for recently created RAR/ZIP/7Z files in user directories and common data folders
SELECT FullPath, Size, Mtime, Mode
FROM glob(globs="/Users/*/*.rar", root=/)
WHERE Mtime > now() - 24h

UNION ALL

SELECT FullPath, Size, Mtime, Mode
FROM glob(globs="/Users/*/*.zip", root=/)
WHERE Mtime > now() - 24h

UNION ALL

SELECT FullPath, Size, Mtime, Mode
FROM glob(globs="/Users/*/*.7z", root=/)
WHERE Mtime > now() - 24h


**Remediation Script (PowerShell)**

Use this script to audit common PHI storage locations for the presence of unauthorized archives.

PowerShell
<#
.SYNOPSIS
    Audit script to detect unauthorized archives in PHI-sensitive directories.
.DESCRIPTION
    Scans defined root paths for RAR, ZIP, and 7Z files created within the last 7 days.
    This helps identify potential data staging points left by an intruder.
#>

$LogPath = "C:\Windows\Temp\PHI_Audit_Log.txt"
$ScanPaths = @("C:\PHI_Data", "D:\Patient_Records", "\\EHR-Server\Shares")
$ExtensionFilter = @("*.rar", "*.zip", "*.7z")
$DaysToScan = 7

Write-Output "Starting PHI Archive Audit..." | Out-File -FilePath $LogPath -Append

foreach ($Path in $ScanPaths) {
    if (Test-Path $Path) {
        Write-Output "Scanning Path: $Path" | Out-File -FilePath $LogPath -Append
        Get-ChildItem -Path $Path -Recurse -Include $ExtensionFilter -ErrorAction SilentlyContinue | 
        Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-$DaysToScan) } | 
        Select-Object FullName, LastWriteTime, Length, @{Name='Owner';Expression={(Get-Acl $_.FullName).Owner}} | 
        Export-Csv -Path "$LogPath.csv" -Append -NoTypeInformation
    }
}
Write-Output "Audit Complete. Review CSV output." | Out-File -FilePath $LogPath -Append

Remediation

To prevent the type of breach that led to the Henderson & Walton settlement, healthcare organizations must implement the following controls immediately:

  1. Network Segmentation: Ensure EHR and PACS servers reside in isolated VLANs, strictly limiting inbound and outbound traffic. Workstations should not be able to initiate SMB or RDP connections directly to database servers.
  2. Data Loss Prevention (DLP): Deploy DLP policies that specifically tag and monitor SSNs, medical record numbers, and CPT codes. Alert on any attempt to encrypt or compress files containing these tags.
  3. Privileged Access Management (PAM): Revoke local administrator rights from clinical staff. Use Just-In-Time (JIT) access for IT admins to prevent credential dumping.
  4. Audit Log Retention: Enable centralized logging (Syslog/CEF) for all EHR application access logs and retain them for a minimum of 6 years, aligning with HIPAA and state breach notification requirements.
  5. Patch Management: While no specific CVE was cited in this case, ensure all underlying infrastructure (Windows Server, SQL, IIS) is patched against 2025/2026 critical vulnerabilities.

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub

healthcare-cybersecurityhipaa-compliancehealthcare-ransomwareehr-securitymedical-data-breachhealthcarephi-breachincident-response

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action