Introduction
In May 2026, the healthcare sector faced a renewed wave of cyber threats affecting nine distinct HIPAA-regulated entities. Most notably, the University of Nebraska Medical Center (UNMC) and Singing River Health System disclosed significant security incidents involving the unauthorized access to Protected Health Information (PHI).
For SOC analysts and IR responders, this isn't just another round-up; it confirms that threat actors are successfully bypassing perimeter defenses to target high-value clinical data stores. The breach of academic medical centers and regional health systems suggests a trend towards exploiting credential-theft vulnerabilities and third-party vendor dependencies. Defenders need to act immediately to audit EHR access logs and validate endpoint detection coverage on clinical workstations.
Technical Analysis
While specific CVEs were not universally disclosed across all nine entities, the attack vectors reported typically align with the following technical scenarios observed in recent healthcare intrusions:
- Affected Products/Platforms: Electronic Health Record (EHR) applications (e.g., Epic, Cerner), VPN concentrators, and remote desktop services (RDP).
- Vulnerability/Attack Mechanism:
- Credential Stuffing & Session Hijacking: Attackers are leveraging leaked credentials to access webmail and VPN portals. In healthcare, where shared workstations are common, session hijacking via tools like Mimikatz remains prevalent.
- Data Exfiltration: Once inside the network, actors utilize legitimate administrative tools (e.g., PowerShell,
robocopy) to stage and exfiltrate large volumes of PHI to cloud storage or external FTP servers.
- Exploitation Status: Confirmed Active Exploitation. These are not theoretical risks; UNMC and Singing River have confirmed that data was accessed or exfiltrated.
Detection & Response
Given the lack of a single specific CVE in this round-up, detection efforts must focus on the behavior of unauthorized data access and exfiltration within clinical environments.
SIGMA Rules
---
title: Potential Mass PHI Exfiltration via PowerShell
id: 88c3d5a1-1a4b-4c5e-9d6f-3e2c1b5a9d8f
status: experimental
description: Detects the use of PowerShell to compress or export large numbers of files, common in data exfiltration incidents targeting healthcare records.
references:
- https://attack.mitre.org/techniques/T1560/
author: Security Arsenal
date: 2026/05/15
tags:
- attack.exfiltration
- attack.t1560.001
logsource:
category: process_creation
product: windows
detection:
selection_poweshell:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
selection_compression:
CommandLine|contains:
- 'Compress-Archive'
- 'Copy-ToZip'
selection_targeting:
CommandLine|contains:
- '.csv'
- '.xls'
- 'patient'
- 'medical'
- 'phi'
condition: all of selection_*
falsepositives:
- Legitimate system backups by IT admin
level: high
---
title: Unusual Network Connection from Clinical Workstation
id: 99d4e6b2-2b5c-5d6f-0e7g-4f3d2c6a0e9g
status: experimental
description: Detects outbound network connections from typical clinical workstation processes to non-standard ports or external IPs, indicating potential C2 or exfiltration.
references:
- https://attack.mitre.org/techniques/T1071/
author: Security Arsenal
date: 2026/05/15
tags:
- attack.command_and_control
- attack.t1071.001
logsource:
category: network_connection
product: windows
detection:
selection_img:
Image|endswith:
- '\chrome.exe'
- '\firefox.exe'
- '\edge.exe'
selection_port:
DestinationPort|notin:
- 80
- 443
- 8080
selection_suspicious:
DestinationIp|cidr:
- '0.0.0.0/0'
filter_azure:
DestinationIp|cidr:
- '10.0.0.0/8'
- '192.168.0.0/16'
- '172.16.0.0/12'
condition: selection_img and selection_port and selection_suspicious and not filter_azure
falsepositives:
- Misconfigured internal proxy
level: medium
KQL (Microsoft Sentinel)
This query hunts for unusual access patterns to file shares hosting medical records.
DeviceFileEvents
| where Timestamp > ago(7d)
| where ActionType == "FileCreated" or ActionType == "FileAccessed"
| where FolderPath contains "\\" and (FolderPath contains "Patient" or FolderPath contains "Medical" or FolderPath contains "Records")
| where InitiatingProcessFileName !in_("explorer.exe", "svchost.exe", "services.exe")
| summarize Count=count(), AccessedFiles=makeset(FileName) by DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName
| where Count > 50
Velociraptor VQL
Hunt for instances of data staging (renaming files to obscure extensions) on user drives.
-- Hunt for renamed archives or suspicious file extensions in user profiles
SELECT FullPath, Size, Mtime, Sys.btime as Btime
FROM glob(globs="C:\Users\*\*.tmp", root="/")
WHERE Size > 1024 * 1024
AND Mtime > now() - 7d
-- Combine with check for hidden files
UNION ALL
SELECT FullPath, Size, Mtime, Sys.btime as Btime
FROM glob(globs="C:\Users\*\AppData\Local\Temp\*", root="/")
WHERE Name =~ '.zip' OR Name =~ '.rar'
AND Size > 1024 * 1024 * 5
Remediation Script (PowerShell)
This script audits and hardens RDP configurations, a common vector in healthcare breaches involving UNMC-sized entities.
# Audit and Remediation Script for RDP Security
# Run as Administrator
Write-Host "[+] Initiating RDP Security Audit and Hardening..." -ForegroundColor Cyan
# Check if RDP is enabled
$rdpProperty = Get-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -ErrorAction SilentlyContinue
if ($rdpProperty.fDenyTSConnections -eq 0) {
Write-Host "[WARNING] RDP is currently ENABLED." -ForegroundColor Yellow
# Disable RDP if not required (Comment out the line below to keep enabled)
# Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Value 1
# Write-Host "[ACTION] RDP has been DISABLED." -ForegroundColor Green
} else {
Write-Host "[INFO] RDP is currently DISABLED." -ForegroundColor Green
}
# Enforce Network Level Authentication (NLA)
$nlaProperty = Get-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "UserAuthentication" -ErrorAction SilentlyContinue
if ($nlaProperty.UserAuthentication -ne 1) {
Write-Host "[ACTION] Enabling Network Level Authentication (NLA)..." -ForegroundColor Yellow
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "UserAuthentication" -Value 1
} else {
Write-Host "[INFO] NLA is already enforced." -ForegroundColor Green
}
# Check for local users in RDP group (security risk)
$localGroupMembers = Get-LocalGroupMember -Group "Remote Desktop Users" -ErrorAction SilentlyContinue
if ($localGroupMembers) {
Write-Host "[WARNING] Found members in 'Remote Desktop Users' group:" -ForegroundColor Yellow
$localGroupMembers | Select-Object Name, PrincipalSource | Format-Table
} else {
Write-Host "[INFO] No users in 'Remote Desktop Users' group." -ForegroundColor Green
}
Write-Host "[+] Audit Complete." -ForegroundColor Cyan
Remediation
- Credential Reset & MFA Enforcement: For all affected entities, specifically UNMC and Singing River, immediate credential resets for privileged accounts are mandatory. Enforce Phishing-Resistant MFA (FIDO2) across all EHR access points.
- Vendor Risk Assessment: Review access logs for all third-party vendors. Revoke unnecessary access and enforce "Just-In-Time" (JIT) access for external support teams.
- EHR Logging: Ensure comprehensive audit logging is enabled within EHR platforms (Epic/Cerner). Specifically, enable alerts for "Break-the-Glass" emergency access overrides and bulk patient record queries.
- Patching: While no specific CVE is named in the round-up, ensure all VPN concentrators and remote access gateways are patched against known 2025-2026 vulnerabilities (e.g., Ivanti, Fortinet, Cisco). Check CISA KEV catalog for specific entries relevant to your appliance models.
Related Resources
Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.