Perry Johnson & Associates Breach: Third-Party Supply Chain Compromise & Exfiltration Detection

Atrium Health Navicent and Interim HealthCare of Lubbock/Amarillo have begun notifying patients following a significant data breach at their Business Associate (BA), Perry Johnson & Associates (PJ&A). This incident highlights the critical vulnerability in the healthcare supply chain: a single compromise at a third-party vendor can expose the Protected Health Information (PHI) of millions of patients across multiple Covered Entities.

For defenders, this is not just a compliance issue; it is an active intelligence failure. If your organization relies on third-party transcription, coding, or storage services, you must assume that vendor credentials are currently being targeted. This post outlines the technical mechanics of this specific supply chain attack and provides detection logic to identify data exfiltration patterns indicative of such breaches.

Technical Analysis

• Affected Systems: Perry Johnson & Associates (Medical Transcription/Coding Services). The compromise impacted the systems used to process voice files and transcribe medical records for client hospitals.
• Threat Vector: Supply Chain Compromise via Network Intrusion. While specific CVEs have not been publicly disclosed as the entry point, the attack chain involves unauthorized access to the vendor's network, lateral movement to file repositories, and data exfiltration.
• Attack Chain Breakdown:
  1. Initial Access: Likely credential theft or vulnerability exploitation targeting the BA's external perimeter.
  2. Discovery & Lateral Movement: Attackers moved through the vendor's network to locate file servers containing unencrypted audio files and transcribed medical records.
  3. Data Staging: Large volumes of PHI (PDFs, Word docs, Audio files) were aggregated, likely compressed to evade simple traffic size filters.
  4. Exfiltration: Data was transferred out of the vendor environment to external command-and-control (C2) or cloud storage nodes.
• Exploitation Status: Confirmed active exploitation. Data theft has been verified, impacting patients' names, dates of birth, medical record numbers, and clinical information.

Detection & Response

Detecting a Business Associate breach from the inside of the Covered Entity is difficult, as the traffic originates externally. However, defenders must hunt for signs of data staging within their own perimeter if they have integrated file shares, and monitor for exfiltration tools commonly used in these large-scale thefts.

The following rules focus on detecting the tools and behaviors typically associated with bulk data exfiltration (compression utilities and file transfer tools) on endpoints and servers.

---
title: Potential Data Staging via High-Volume Compression
id: 8a4b2c10-7d9e-4f5a-9b1c-3d5e6f8a9b0c
status: experimental
description: Detects the use of archiving tools like 7-Zip or WinRAR often used to stage data for exfiltration. High frequency or large archive creation on file servers is suspicious.
references:
 - https://attack.mitre.org/techniques/T1560/
author: Security Arsenal
date: 2024/05/24
tags:
 - attack.collection
 - attack.t1560.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\7z.exe'
      - '\winrar.exe'
      - '\rar.exe'
      - '\winzip64.exe'
  filter_legit_admin:
    ParentImage|contains:
      - '\Explorer.exe'
  condition: selection and not filter_legit_admin
falsepositives:
  - Legitimate administrative backups
level: medium
---
title: Suspicious Rclone Execution (Cloud Exfiltration Tool)
id: b2c3d4e5-6f7a-8b9c-0d1e-2f3a4b5c6d7e
status: experimental
description: Detects execution of Rclone, a command-line tool often abused by threat actors to sync and exfiltrate data to various cloud storage providers.
references:
 - https://attack.mitre.org/techniques/T1048/
author: Security Arsenal
date: 2024/05/24
tags:
 - attack.exfiltration
 - attack.t1048
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\rclone.exe'
    CommandLine|contains:
      - 'sync'
      - 'copy'
      - 'config'
falsepositives:
  - Authorized use by IT staff for backups
level: high

Microsoft Sentinel / Defender KQL

Hunt for unusual outbound network traffic patterns that suggest data exfiltration, specifically targeting large data uploads to consumer cloud storage or non-whitelisted IPs.

// Hunt for large outbound data transfers indicating potential exfiltration
DeviceNetworkEvents
| where ActionType == "ConnectionSuccess" 
| where Direction == "Outbound"
| where SentBytes > 50000000 // Greater than 50MB
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, SentBytes, RemotePort
| summarize TotalBytesSent=sum(SentBytes), ConnectionCount=count() by DeviceName, RemoteUrl, InitiatingProcessAccountName
| where ConnectionCount < 50 // Filter out constant heartbeat traffic, focus on bulk transfers
| sort by TotalBytesSent desc

Velociraptor VQL

Hunt endpoints for the presence of common exfiltration tools and recent modifications to archives in user directories.

-- Hunt for Rclone or WinSCP binaries and recently modified archives
SELECT 
  OSPath, 
  Size, 
  Mtime, 
  Mode.String 
FROM glob(globs="C:/Users/**/*")
WHERE Name =~ "rclone.exe" 
   OR Name =~ "winscp.exe" 
   OR (Name =~ ".zip" AND Mtime > now() - 7d)

Remediation Script (PowerShell)

Use this script to audit permissions on sensitive file shares. Business Associate breaches often exploit overly permissive "Everyone" or "Authenticated Users" shares within the victim's own network if a trust relationship exists, or simply to harden the internal environment against lateral movement.

# Audit File Shares for Excessive Permissions
# Helps identify data stores vulnerable to bulk scraping.

Get-SmbShare | Where-Object { $_.Name -notlike '*$' -and $_.Path -ne '' } | ForEach-Object {
    $SharePath = $_.Path
    $ShareName = $_.Name
    try {
        $Acl = Get-Acl -Path $SharePath -ErrorAction Stop
        $Access = $Acl.Access | Where-Object { $_.IdentityReference -like "*Everyone*" -or $_.IdentityReference -like "*Authenticated Users*" }
        
        if ($Access) {
            Write-Host "[!] VULNERABLE SHARE FOUND: $ShareName at $SharePath" -ForegroundColor Red
            $Access | Format-Table IdentityReference, FileSystemRights, AccessControlType -AutoSize
        } else {
            Write-Host "[+] OK: $ShareName" -ForegroundColor Green
        }
    } catch {
        Write-Host "[ERROR] Could not access $SharePath" -ForegroundColor Yellow
    }
}

Remediation

1. Vendor Risk Management (VRM) Audit: Immediately review the Business Associate Agreements (BAA) with all vendors handling PHI. Demand an updated Security Assessment and a detailed Incident Report from Perry Johnson & Associates or any affected vendor.
2. Patient Notification: Ensure your notification plan is activated. Do not rely solely on the vendor's timeline; HIPAA requires the Covered Entity to notify affected individuals without unreasonable delay.
3. Network Segmentation: Ensure that any connectivity provided to third-party vendors is strictly segmented (zero-trust). They should not have broad access to the internal network.
4. Data Loss Prevention (DLP): Implement or tighten DLP rules to monitor and block unauthorized transmission of sensitive keywords (e.g., "Medical Record," "Diagnosis") and file types (PDF, DOCX) to non-approved external destinations.
5. Credit Monitoring: Offer identity theft protection services to affected patients as a standard remediation step.

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub