Radiology Associates of Richmond (RAR), a prominent Virginia-based practice, has confirmed a significant data breach impacting approximately 266,000 individuals. The incident, which involves unauthorized access to the practice's network, places highly sensitive Protected Health Information (PHI) at risk. For defenders, this breach is a critical indicator of the continued targeting of healthcare entities for PHI theft and potential downstream fraud. Immediate action is required to audit access controls, detect exfiltration activity, and harden EHR and PACS environments against similar unauthorized access attempts.
Technical Analysis
While specific CVEs were not disclosed in the initial report, the breach is characterized as unauthorized network access. In healthcare contexts, this typically involves the exploitation of web-facing interfaces (e.g., VPNs, RDP gateways, or patient portals) or phishing-based credential theft leading to lateral movement.
- Affected Systems: Internal network segments hosting patient data, potentially including Picture Archiving and Communication Systems (PACS) and Electronic Medical Records (EMR).
- Attack Vector: Unauthorized Network Access. The attacker gained access to the network, likely bypassing perimeter defenses or leveraging compromised credentials.
- Impact: Unauthorized access to files containing patient names, dates of birth, diagnosis information, and potentially radiological images.
- Exploitation Status: Confirmed active exploitation. The breach has been verified, and data has been confirmed as accessed.
Defenders should assume that standard credential stuffing or known vulnerabilities in remote access services were the initial entry point and hunt for signs of lateral movement and mass data staging.
Detection & Response
Given the lack of a specific CVE, detection must focus on the behaviors associated with data theft: mass file access, unusual archiving activity, and suspicious data egress.
---
title: Potential Mass Data Staging via Archive Tool
id: 9f8c7d6e-5b4a-3f2e-1d0c-9b8a7f6e5d4c
status: experimental
description: Detects the creation of large archive files (zip, rar, 7z) in user directories, a common tactic used to stage PHI for exfiltration.
references:
- https://attack.mitre.org/techniques/T1560/
author: Security Arsenal
date: 2025/04/04
tags:
- attack.collection
- attack.t1560.001
logsource:
category: file_creation
product: windows
detection:
selection:
TargetFilename|contains:
- '\\AppData\\'
- '\\Desktop\\'
- '\\Downloads\\'
TargetFilename|endswith:
- '.zip'
- '.rar'
- '.7z'
condition: selection
falsepositives:
- Users backing up their own data
- Legitimate software updates
level: medium
---
title: Suspicious Process Accessing PACS/EMR Directories
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects unusual processes (e.g., cmd, powershell, python) accessing common medical imaging or data directories.
references:
- https://attack.mitre.org/techniques/T1005/
author: Security Arsenal
date: 2025/04/04
tags:
- attack.collection
- attack.t1005
logsource:
category: file_access
product: windows
detection:
selection:
TargetFilename|contains:
- '\\PACS\\'
- '\\EMR\\'
- '\\PatientData\\'
filter_legit:
Image|contains:
- '\\radiology_app.exe'
- '\\med_viewer.exe'
condition: selection and not filter_legit
falsepositives:
- Administrative backups
- Legitimate diagnostic tools
level: high
KQL (Microsoft Sentinel / Defender)
This hunt query identifies large outbound data transfers from internal hosts, which may indicate exfiltration of stolen PHI.
DeviceNetworkEvents
| where Direction == "Outbound"
| where SentBytes > 50000000 // Greater than 50MB
| where RemotePort !in (443, 80, 25) // Exclude standard web/mail traffic
| summarize TotalBytesSent=sum(SentBytes), RemoteIPs=make_set(RemoteIP), ConnectionCount=count() by DeviceName, InitiatingProcessFileName
| order by TotalBytesSent desc
Velociraptor VQL
Hunt for suspicious archive files recently created in user profiles, which could indicate data staging.
SELECT FullPath, Size, Mtime, Mode
FROM glob(globs='C:/Users/*/*.zip', accessor='auto')
WHERE Mtime > now() - 7d
OR Size > 100000000
Remediation Script (PowerShell)
Run this script on critical servers to audit recent modifications to sensitive directories.
# Audit recent changes in sensitive data directories
$Days = 7
$SensitivePaths = @("C:\PACS", "C:\EMR", "D:\PatientData") # Customize paths
$Date = (Get-Date).AddDays(-$Days)
Write-Host "Scanning for changes in the last $Days days..."
foreach ($Path in $SensitivePaths) {
if (Test-Path $Path) {
Get-ChildItem -Path $Path -Recurse -File -ErrorAction SilentlyContinue |
Where-Object { $_.LastWriteTime -gt $Date -or $_.CreationTime -gt $Date } |
Select-Object FullName, LastWriteTime, @{Name='SizeMB';Expression={[math]::Round($_.Length/1MB,2)}} |
Format-Table -AutoSize
} else {
Write-Host "Path not found: $Path"
}
}
Remediation
- Credential Reset: Force a password reset for all users with access to the affected network segments, specifically focusing on administrative and clinician accounts.
- Access Review: Conduct an immediate review of Active Directory and EHR access logs. Revoke access for any terminated or dormant accounts.
- Network Segmentation: Ensure that PACS and EMR systems are isolated from the general network and strictly accessible only via VPN with MFA or dedicated jump hosts.
- Egress Filtering: Implement strict firewall rules to block outbound traffic from medical workstations to unknown IPs/IPs not required for business operations.
- Vendor Coordination: If the breach involved a third-party vendor (e.g., cloud hosting or PACS vendor), review their security bulletins and apply recommended patches immediately.
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.