NYC Health + Hospitals, the largest municipal healthcare system in the United States, has confirmed a significant security breach stemming from a third-party vendor compromise. Attackers maintained unauthorized access to systems for several months, exfiltrating sensitive Protected Health Information (PHI) of at least 1.8 million individuals. The compromised data includes highly sensitive biometric data, medical diagnoses, and bank details.
For defenders, this breach underscores the critical failure of supply chain visibility. When a trusted vendor is compromised, the perimeter effectively dissolves. This analysis focuses on the attack mechanics of third-party lateral movement and provides the necessary detection logic to identify vendors behaving badly, or legitimate vendor credentials being used for malicious data exfiltration.
Technical Analysis
Affected Platform: NYC Health + Hospitals Enterprise Network (Windows-based infrastructure); Entry Vector: Third-Party Vendor Remote Access (Likely VPN/RDP or Citrix); Dwell Time: Several Months; Data Exfiltrated: Biometrics, Diagnosis/ICD codes, Bank Account Details.
Attack Chain Breakdown:
- Initial Access: Attackers compromised the third-party vendor, likely stealing credentials or exploiting a vulnerability in the vendor's remote access tooling.
- Lateral Movement: Using the trusted vendor relationship, attackers authenticated into the NYC H+H network. Due to the existing trust, these connections likely bypassed standard heuristic anomaly detection (e.g., "new user" flags if the vendor account was whitelisted).
- Discovery & Collection: With months of access, attackers mapped the network to locate databases and file shares containing PHI. Specific attention was paid to biometric storage and financial records.
- Exfiltration: Data was staged and exfiltrated, likely using encrypted channels (HTTPS/SSH) to blend in with administrative traffic or leveraging legitimate admin tools (e.g., RMM software) used by the vendor.
Detection & Response
Detecting a third-party breach requires shifting from "signature-based" detection to "behavior-based" anomaly hunting. We need to hunt for intent, not just malware. The following rules focus on vendor account anomalies, sensitive data access patterns, and indicators of staging.
Sigma Rules
---
title: Vendor Account Access Outside Business Hours
id: 8a5c2d19-4e7b-4f8a-9c1d-3e6f5a7b8c9d
status: experimental
description: Detects logons from vendor-specific accounts during unusual hours (e.g., outside 08:00-18:00). Attackers often utilize compromised credentials during off-peak times to avoid detection by staff.
references:
- https://attack.mitre.org/techniques/T1078/
author: Security Arsenal
date: 2026/05/12
tags:
- attack.valid_accounts
- attack.t1078.004
logsource:
category: authentication
product: windows
detection:
selection_vendor:
TargetUserName|contains:
- '_vendor'
- '_admin'
- '_support'
selection_time:
EventID: 4624
TimeCreated:
- betweent:
- '00:00:00'
- '07:00:00'
- betweent:
- '19:00:00'
- '23:59:59'
condition: all of selection_*
falsepositives:
- Legitimate emergency maintenance by vendors
level: medium
---
title: Sensitive Folder Access by Non-Standard Process
id: 1b2e3f4a-5d6e-7f8a-9b0c-1d2e3f4a5b6c
status: experimental
description: Detects access to directories commonly containing biometric or PHI data by processes other than the main EHR application or authorized backup tools.
references:
- https://attack.mitre.org/techniques/T1005/
author: Security Arsenal
date: 2026/05/12
tags:
- attack.collection
- attack.t1005
logsource:
category: file_access
product: windows
detection:
selection_target:
TargetFileName|contains:
- '\Biometrics'
- '\Patients\'
- '\Diagnoses\'
- '\Financial\'
selection_process:
Image|endswith:
- '\explorer.exe'
- '\cmd.exe'
- '\powershell.exe'
- '\python.exe'
filter_legit:
Image|contains:
- '\EHR_App\'
- '\BackupService\'
condition: selection_target and selection_process and not filter_legit
falsepositives:
- Administrators investigating file permissions
level: high
---
title: Large Volume Data Egress via Terminal Sessions
id: 9c0d8e7f-6a5b-4c3d-2e1f-0a9b8c7d6e5f
status: experimental
description: Detects potential data staging or exfiltration via clipboard redirection or drive mapping over RDP, common in vendor-supplied remote support.
references:
- https://attack.mitre.org/techniques/T1021/
author: Security Arsenal
date: 2026/05/12
tags:
- attack.exfiltration
- attack.t1048
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\rdpclip.exe'
ParentImage|endswith: '\svchost.exe'
context:
NewProcessName|contains: 'rdpclip'
condition: selection and context
falsepositives:
- Legitimate copy-paste operations by remote admins
level: low
KQL (Microsoft Sentinel)
This KQL query hunts for vendor accounts accessing sensitive resources, specifically looking for anomalies in the volume of data accessed or the specific fields touched (biometrics/financial).
let VendorAccounts = dynamic(["VendorUser1", "VendorUser2", "_admin", "_support"]);
let SensitiveResources = dynamic(["Biometrics_DB", "Patient_Diagnoses", "Billing_System"]);
SecurityEvent
| where EventID == 4663 // Object Access
| where TargetUserName has_any (VendorAccounts)
| extend ObjectName = tostring(TargetObjectName)
| where ObjectName has_any (SensitiveResources)
| extend AccessMask = iff(AccessMask == "0x10080", "ReadControl/ReadData", AccessMask) // Simplified mask check
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), AccessCount = count(), ObjectSet = make_set(ObjectName) by TargetUserName, SubjectUserName, Computer
| where AccessCount > 100 // Threshold for bulk access
| order by AccessCount desc
Velociraptor VQL
Hunt for processes that may be staging data for exfiltration. We look for common archive tools (WinRAR, 7-Zip) or PowerShell compressing data within directories housing sensitive patient data.
-- Hunt for archiving processes in sensitive directories
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE Name IN ('winrar.exe', '7z.exe', 'powershell.exe', 'cmd.exe')
AND (
CommandLine =~ 'biometric' OR
CommandLine =~ 'patient' OR
CommandLine =~ 'diagnosis' OR
CommandLine =~ '-Compress' OR
CommandLine =~ 'a -tzip'
)
-- Cross-reference with open files to confirm access to sensitive paths
JOIN (
SELECT FullPath, Pid
FROM handle()
WHERE FullPath =~ '\\Patients\\' OR FullPath =~ '\\Biometric\\'
) ON Pid
Remediation Script (PowerShell)
This script assists IR teams in immediately auditing vendor sessions and disabling the suspected compromised vendor accounts identified during the investigation.
# Emergency Vendor Audit and Isolation Script
# Requires Active Directory Module for Windows PowerShell
param(
[Parameter(Mandatory=$true)]
[string]$VendorGroupName,
[string]$LogPath = "C:\IR\VendorAudit_$(Get-Date -Format 'yyyyMMdd').log"
)
function Write-Log {
param([string]$message)
Add-Content -Path $LogPath -Value "[$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')] $message"
Write-Host $message
}
Write-Log "Starting audit for vendor group: $VendorGroupName"
# 1. Identify active sessions for vendor users
Write-Log "Checking for active sessions..."
$vendorUsers = Get-ADGroupMember -Identity $VendorGroupName | Select-Object -ExpandProperty SamAccountName
$query = "SELECT * FROM Win32_LogonSession WHERE LogonType = 10 OR LogonType = 2"
$sessions = Get-WmiObject -Query $query
foreach ($user in $vendorUsers) {
$activeSessions = Get-CimInstance -ClassName Win32_LoggedOnUser | Where-Object { $_.Antecedent -like "*$user*" }
if ($activeSessions) {
Write-Log "ALERT: Active session found for user: $user"
# Optional: Logoff user forcefully (Uncomment if action is required)
# logoff $activeSessions.LogonId
}
}
# 2. Disable vendor accounts immediately
Write-Log "Disabling all accounts in group: $VendorGroupName"
foreach ($user in $vendorUsers) {
try {
Disable-ADAccount -Identity $user -ErrorAction Stop
Write-Log "Disabled account: $user"
} catch {
Write-Log "ERROR disabling $user : $_"
}
}
Write-Log "Audit complete. Review logs at $LogPath"
Remediation
Immediate containment and long-term hardening are required to address this supply chain failure.
-
Immediate Vendor Access Revocation:
- Revoke all privileged access for the implicated third-party vendor immediately. Disable associated Active Directory accounts and terminate active VPN/Remote Desktop sessions.
- Force a password reset for all service accounts utilized by the vendor.
-
Network Segmentation (The Zero Trust Pivot):
- Move vendor access into a dedicated VLAN with strict egress filtering. Vendors should only connect via a Jump Host with session recording (PAM). Implement "Never Trust, Always Verify" – vendor devices must be compliant before accessing the network.
-
Data Access Governance:
- Conduct a granular audit of Active Directory and File System permissions. Ensure the principle of least privilege is enforced. The vendor account used in this breach likely had excessive permissions.
- Implement Data Loss Prevention (DLP) policies to alert on bulk transfers of sensitive keywords (e.g., "Diagnosis", "Bank Routing", "Biometric Hash").
-
Forensic Validation:
- Engage DFIR specialists to image the vendor's point-of-entry systems and the internal jump servers.
- Validate that no webshells or persistence mechanisms (scheduled tasks, registry run keys) were left behind on the EHR servers.
Related Resources
Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.