Back to Intelligence

How to Prevent Improper Access to Medical Records in Telehealth

SA
Security Arsenal Team
March 19, 2026
4 min read

Introduction

The recent admission by GuardDog Telehealth regarding improper access to patients’ medical records serves as a stark reminder of the vulnerabilities inherent in managing Protected Health Information (PHI). While the details of the specific breach continue to unfold, the core issue is a common one in healthcare security: the failure to enforce strict access boundaries and the principle of least privilege. For defenders, this incident underscores the critical need to move beyond simple compliance checklists and towards active, architectural defense of patient data. It highlights that unauthorized access is not always a sophisticated external hack; often, it is an internal failure of policy enforcement or configuration that leads to significant exposure.

Technical Analysis

The security event involving GuardDog Telehealth centers on Unauthorized Access / Insider Risk.

  • Event Type: Improper access to PHI (Protected Health Information). The organization reportedly accessed records beyond what was necessary for service delivery or failed to terminate access when it was no longer required.
  • Affected Systems: Electronic Health Records (EHR), Telehealth application databases, and potentially file storage systems housing patient documents.
  • Severity: High. Improper access to medical records constitutes a HIPAA violation, carries heavy financial penalties, and causes severe reputational damage and patient harm.
  • Root Cause: In technical terms, this is often a failure of Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), or a lack of Data Loss Prevention (DLP) controls. It indicates that user permissions were likely overly permissive or that user activity monitoring (UIM) failed to flag anomalous data retrieval patterns.

Executive Takeaways

For security leaders and CISOs, the GuardDog Telehealth incident provides several strategic imperatives:

  1. Vendor Risk Management is Critical: Third-party partners often have access to sensitive environments. Continuous monitoring of vendor access is no longer optional; it is a requirement for modern healthcare governance.
  2. Zero Trust Must Extend to Data: Zero Trust isn't just about network perimeter security. Identity verification and strict access validation must be applied to every single request to access patient data, regardless of where the request originates.
  3. Audit Trails are Your Best Defense: When an incident occurs, the ability to reconstruct exactly who accessed what data and when is the primary defense against regulatory fines and legal liability.

Remediation

To prevent similar incidents within your organization, IT and security teams must implement the following defensive measures:

1. Implement Strict Role-Based Access Control (RBAC)

Ensure that users and service accounts only have access to the specific resources required for their job function. Regularly audit group memberships to prevent "permission creep."

2. Conduct User Access Reviews (UAR)

Managers must review access rights for their direct reports at least quarterly. Access should be revoked immediately upon role change or termination.

3. Enable Advanced Auditing and Monitoring

Configure your systems to log every access to patient records. Use Security Information and Event Management (SIEM) solutions to alert on bulk exports or access outside of business hours.

4. Verify Access Permissions with PowerShell

Defenders should regularly audit file systems and databases where PHI resides to ensure permissions are tight. The following PowerShell script can help identify users with excessive permissions on a directory storing sensitive data:

Script / Code
# Get Access Control Lists (ACL) for a specific directory containing PHI
$Path = "C:\HealthData\PatientRecords"

$Acl = Get-Acl -Path $Path

# Format the output to show Identity and Rights
$Acl.Access | Select-Object IdentityReference, 
                      FileSystemRights, 
                      AccessControlType, 
                      IsInherited | 
                      Where-Object { $_.IdentityReference -notlike "*BUILTIN*" -and 
                                     $_.IdentityReference -notlike "*NT AUTHORITY*" } | 
                      Format-Table -AutoSize

5. Deploy Data Loss Prevention (DLP)

Utilize DLP solutions to detect and block unauthorized transmission of sensitive data (e.g., uploading patient records to personal cloud storage or emailing them to personal accounts).

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub

healthcarehipaaransomwaretelehealthaccess-controldata-privacyhealthcare-securityinsider-threat

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action