Radiology Associates of Richmond Breach: Detecting and Containing PHI Exfiltration

Introduction

Radiology Associates of Richmond (RAR) has confirmed a significant security incident impacting approximately 266,000 individuals. Threat actors successfully infiltrated the organization's systems and exfiltrated files containing sensitive patient data, including names and Protected Health Information (PHI). For defenders, this is a critical reminder of the high value of medical imaging and patient data on the dark web. This breach highlights a failure in either perimeter defenses, internal segmentation, or data loss prevention (DLP) controls. Immediate action is required to audit egress logs and identify potential indicators of compromise (IOCs) associated with mass data theft.

Technical Analysis

While the specific vulnerability (CVE) or initial access vector has not been publicly disclosed, the attack profile aligns with common tactics targeting healthcare providers:

Target Assets: File servers, Electronic Health Record (EHR) systems, and Picture Archiving and Communication Systems (PACS) storing DICOM images and associated metadata.
Attack Vector: Likely involving initial access via phishing, exploited public-facing services (e.g., VPN, RDP), or third-party vendor compromises, followed by lateral movement to data repositories.
Mechanism of Theft: The threat actors "stole files." In a technical context, this usually involves the "Collection" and "Exfiltration" tactics from the MITRE ATT&CK framework. Actors commonly utilize archiving tools (like 7-Zip or WinRAR) to stage large volumes of PHI (PDFs, DICOM, CSVs) before transferring them via encrypted channels (HTTPS, SSH) to command-and-control (C2) infrastructure or cloud storage.
Exploitation Status: Confirmed data exfiltration. Active defense is required to detect ongoing staging or similar attempts within the environment.

Detection & Response

Given the theft of files, detection efforts must focus on identifying mass data compression and unusual network egress patterns originating from workstations or servers hosting patient data.

SIGMA Rules

The following rules detect common behaviors associated with data staging and exfiltration.

YAML

---
title: Potential PHI Staging via High-Volume Archiving
id: 8a4f2c91-1d3e-4f5a-9b6c-7d8e9f0a1b2c
status: experimental
description: Detects the creation of archives (zip, rar, 7z) with high compression levels or specific keywords often associated with patient data, indicative of staging for exfiltration.
references:
  - https://attack.mitre.org/techniques/T1560/
author: Security Arsenal
date: 2025/04/08
tags:
  - attack.collection
  - attack.t1560.001
logsource:
  category: process_creation
  product: windows
detection:
  selection_tools:
    Image|endswith:
      - '\7z.exe'
      - '\winrar.exe'
      - '\zip.exe'
      - '\tar.exe'
  selection_keywords:
    CommandLine|contains:
      - 'patient'
      - 'radiology'
      - 'medical'
      - 'phi'
      - 'dicom'
  condition: all of selection_*
falsepositives:
  - Legitimate system backups by administrative staff
level: high
---
title: Large Volume Egress from Non-Standard Application
id: 9b5g3d02-2e4f-5g6b-0c7d-8e9f0a1b2c3d
status: experimental
description: Identifies significant data upload (egress) from processes not typically associated with high-bandwidth transfers, suggesting potential data theft.
references:
  - https://attack.mitre.org/techniques/T1041/
author: Security Arsenal
date: 2025/04/08
tags:
  - attack.exfiltration
  - attack.t1041
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    Initiated: true
    DestinationPort:
      - 443
      - 80
  filter_legit_apps:
    Image|endswith:
      - '\chrome.exe'
      - '\firefox.exe'
      - '\edge.exe'
      - '\iexplore.exe'
      - '\svchost.exe'
  condition: selection and not filter_legit_apps
falsepositives:
  - Video conferencing tools
  - Software updates
level: medium

KQL (Microsoft Sentinel / Defender)

This query hunts for suspicious file creation events (archiving) on endpoints that might indicate data staging.

KQL — Microsoft Sentinel / Defender

// Hunt for recent archive creation on endpoints
DeviceFileEvents
| where Timestamp > ago(7d)
| where FileName endswith ".zip" or FileName endswith ".rar" or FileName endswith ".7z"
| where ActionType == "FileCreated"
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, FolderPath, FileName
| where InitiatingProcessCommandLine contains "patient" 
   or InitiatingProcessCommandLine contains "radiology" 
   or InitiatingProcessCommandLine contains "medical"
| order by Timestamp desc

Velociraptor VQL

Use this artifact to hunt for recently created archives in user profiles or common data directories.

VQL — Velociraptor

-- Hunt for recent archives created in the last 3 days
SELECT FullPath, Size, Mtime, Atime, Mode
FROM glob(globs="C:\Users\**\*.zip")
WHERE Mtime > now() - 3d
   OR Atime > now() - 3d

-- Hunt for large RAR files
SELECT FullPath, Size, Mtime
FROM glob(globs="C:\**\*.rar")
WHERE Size > 10000000
   AND Mtime > now() - 7d

Remediation Script (PowerShell)

This script assists in auditing file shares for suspicious recent modifications or large archives that may indicate staged data.

PowerShell

# Audit for Suspicious Archives on Data Shares
# Requires administrative privileges

$DateThreshold = (Get-Date).AddDays(-7)
$TargetDrives = @("C:\", "D:\", "E:\")
$Extensions = @("*.zip", "*.rar", "*.7z", "*.tar.gz")

Write-Host "[+] Scanning for recently created archives..." -ForegroundColor Cyan

foreach ($Drive in $TargetDrives) {
    if (Test-Path $Drive) {
        foreach ($Ext in $Extensions) {
            try {
                $Files = Get-ChildItem -Path $Drive -Filter $Ext -Recurse -ErrorAction SilentlyContinue | 
                        Where-Object { $_.LastWriteTime -gt $DateThreshold -and $_.Length -gt 1MB }
                
                foreach ($File in $Files) {
                    $Owner = (Get-Acl $File.FullName).Owner
                    Write-Host "[!] Suspicious Archive Found: $($File.FullName)" -ForegroundColor Yellow
                    Write-Host "    Size: $([math]::round($File.Length / 1MB, 2)) MB | Modified: $($File.LastWriteTime) | Owner: $Owner"
                }
            }
            catch {
                # Ignore access denied errors for non-sensitive paths
            }
        }
    }
}

Write-Host "[+] Scan complete. Review findings for potential data staging." -ForegroundColor Green

Remediation

Isolate Affected Systems: If the breach is active, immediately isolate affected workstations or servers from the network to prevent further exfiltration.
Credential Reset: Force a password reset for all users with access to the impacted file systems, particularly those with administrative privileges. Enforce MFA immediately if not already active.
Network Segmentation: Verify that PACS and EHR systems are properly segmented from the general network and the internet. Ensure strict firewall rules are in place (allowlisting necessary traffic only).
Data Loss Prevention (DLP): Implement or review DLP policies to detect and block unauthorized transmission of sensitive data types (e.g., DICOM metadata, SSN, CPT codes) via web gateways and email.
Audit Access Controls: Review file system permissions (NTFS/Share) to ensure the principle of least privilege is enforced. Revoke unnecessary write access to user directories for service accounts.
Patient Notification: Comply with HIPAA Breach Notification Rule requirements. This involves notifying HHS, affected individuals, and (if >500 residents in a state) the media, without unreasonable delay.

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub