Back to Intelligence

Lakeview Health Settlement: Mitigating Email Compromise and PHI Exfiltration Risks

SA
Security Arsenal Team
May 29, 2026
5 min read

Lakeview Health Systems LLC has agreed to a settlement to resolve a class action lawsuit following a significant data breach. While the financial details of the settlement grab headlines, the underlying technical failure—unauthorized access to sensitive patient data—serves as a critical warning for healthcare CISOs and defenders. The breach, which exposed Protected Health Information (PHI), likely originated from compromised email accounts, a vector that remains the primary entry point for ransomware and data theft in the healthcare sector. For defenders, this case is not just a legal headline; it is a blueprint for what happens when email monitoring, access controls, and data exfiltration defenses fail. We must act now to audit our environments for the same weaknesses.

Technical Analysis

While specific CVEs are often not the headline in class action settlements (which focus on negligence), the attack vector in healthcare breaches of this nature is overwhelmingly Business Email Compromise (BEC) and Webmail Exploitation.

  • Attack Vector: Credential theft via phishing leading to unauthorized access to Microsoft 365 (formerly Office 365) or Exchange Web Services.
  • Affected Platform: Microsoft 365 / Exchange Online.
  • Mechanism: Attackers utilize valid credentials to access patient mailboxes. Once inside, they utilize Inbox Rules to suppress alerts (e.g., moving mail items to "Archive" or "Deleted Items") and export sensitive data (PDFs, Word docs containing PHI) via web clients or desktop protocols (MAPI/HTTP).
  • Exploitation Status: Confirmed active. This methodology is consistently ranked as the #1 initial access vector in healthcare according to the Verizon DBIR and HHS OCR breach reports.

Detection & Response

Defenders must assume that valid credentials are already in play. We need visibility into three key areas: bulk email exports, the creation of suspicious inbox rules (used to hide exfiltration), and the presence of unauthorized archive files (.pst) on endpoints.

Sigma Rules

YAML
---
title: Potential Outlook Mass Export of PHI
id: 8f4c2e9a-1d3b-4f5e-9a6b-7c8d9e0f1a2b
status: experimental
description: Detects Outlook.exe writing a high volume of .msg or .pst files, indicative of manual data exfiltration.
references:
  - https://attack.mitre.org/techniques/T1560/
author: Security Arsenal
date: 2024/05/20
tags:
  - attack.exfiltration
  - attack.t1560.001
logsource:
  category: file_create
  product: windows
detection:
  selection:
    Image|endswith: '\outlook.exe'
    TargetFilename|contains:
      - '.msg'
      - '.pst'
  condition: selection | count(TargetFilename) > 10
  timeframe: 5m
falsepositives:
  - Legitimate user backups or email migrations
level: high
---
title: Suspicious PowerShell Exchange Inbox Rule Creation
id: a1b2c3d4-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects PowerShell commands creating inbox rules to hide emails, common in BEC and data theft.
references:
  - https://attack.mitre.org/techniques/T1114/
author: Security Arsenal
date: 2024/05/20
tags:
  - attack.defense_evasion
  - attack.t1114.003
logsource:
  category: process_creation
  product: windows
detection:
  selection:\    Image|endswith: '\powershell.exe'
    CommandLine|contains:
      - 'New-InboxRule'
      - 'Set-InboxRule'
    CommandLine|contains:
      - 'DeleteMessage'
      - 'MoveToFolder'
falsepositives:
  - Admin automation scripts
level: medium

KQL (Microsoft Sentinel)

This query targets OfficeActivity logs to identify the creation of Inbox Rules that move emails to hidden folders, a tactic used by attackers to hide data breach notifications from the victim.

KQL — Microsoft Sentinel / Defender
OfficeActivity
| where Operation in ("New-InboxRule", "Set-InboxRule")
| extend Parameters = todynamic(Parameters)
| mv-apply Param = Parameters on 
    (
        where Param.Name =~ "DeletedMessage" or Param.Name =~ "MoveToFolder"
        | project RuleAction = Param.Value
    )
| where isnotempty(RuleAction)
| project TimeGenerated, UserId, Operation, ClientIP, ObjectId, Parameters
| sort by TimeGenerated desc

Velociraptor VQL

Hunt endpoints for the presence of recently created Personal Storage Table (.pst) files. These archives are often used to bulk exfiltrate mail data outside of standard logging channels.

VQL — Velociraptor
-- Hunt for recently created PST files indicating offline mail export
SELECT FullPath, Size, Mtime, Atime, Mode
FROM glob(globs='C:\Users\*\*.pst')
WHERE Mtime > now() - 7d
  AND Size > 1024 * 1024 // Filter for files larger than 1MB to reduce noise

Remediation Script (PowerShell)

Use this script to audit for and report on external email forwarding rules configured in Microsoft 365, a common method for data exfiltration.

PowerShell
# Audit Office 365 Mailboxes for External Forwarding Rules
# Requires Exchange Online Management Module

Connect-ExchangeOnline -UserPrincipalName admin@yourdomain.com

$mailboxes = Get-Mailbox -ResultSize Unlimited
$forwardingReport = @()

foreach ($mailbox in $mailboxes) {
    $inboxRules = Get-InboxRule -Mailbox $mailbox.PrimarySmtpAddress
    
    foreach ($rule in $inboxRules) {
        if ($rule.ForwardTo -or $rule.RedirectTo) {
            $forwardingReport += [PSCustomObject]@{
                User              = $mailbox.PrimarySmtpAddress
                RuleName          = $rule.Name
                ForwardTo         = $rule.ForwardTo -join ','
                RedirectTo        = $rule.RedirectTo -join ','
                Enabled           = $rule.Enabled
            }
        }
    }
}

if ($forwardingReport) {
    $forwardingReport | Export-Csv -Path "C:\Temp\ExternalForwardingAudit.csv" -NoTypeInformation
    Write-Host "[ALERT] External forwarding rules found. Report saved to C:\Temp\ExternalForwardingAudit.csv" -ForegroundColor Red
} else {
    Write-Host "[INFO] No external forwarding rules detected." -ForegroundColor Green
}

Disconnect-ExchangeOnline -Confirm:$false

Remediation

To prevent a similar settlement scenario in your organization, implement the following defensive measures immediately:

  1. Disable Legacy Authentication: Attackers thrive on Basic Auth. Disable it for all protocols (SMTP, IMAP, POP) in Exchange Online. Enforce Modern Authentication (OAuth2) exclusively.
  2. Enforce Conditional Access Policies: Configure Azure AD Conditional Access to block or require MFA for logins from risky locations, anonymous IP addresses, or impossible travel scenarios.
  3. Audit Inbox Rules: Implement a recurring scheduled task (weekly) to review and validate any new Inbox Rules that involve moving or deleting messages. Alert on these events via your SIEM.
  4. Data Loss Prevention (DLP): Deploy Microsoft Purview Information Protection to automatically detect and block the transmission of credit card numbers, SSNs, or medical record numbers (MRNs) to personal email accounts or unapproved domains.
  5. User Education: Conduct specific phishing simulations targeting credential harvesting. Train users to recognize the difference between a valid MFA prompt and a fake credential capture page.

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub

healthcare-cybersecurityhipaa-compliancehealthcare-ransomwareehr-securitymedical-data-breachhealthcareemail-securityphi-exfiltration

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action