Back to Intelligence

Responding to Unauthorized PHI Access at Medenet and United Medical Doctors: Defense Guide

SA
Security Arsenal Team
June 11, 2026
5 min read

Recent notifications from Medenet, United Medical Doctors, and Stewart Home & School have confirmed incidents involving unauthorized access to Protected Health Information (PHI). While the specific technical vectors (such as a specific CVE) were not disclosed in the initial breach notifications, the implications for Revenue Cycle Management (RCM) and healthcare providers are severe. Attackers targeting RCM firms like Medenet are seeking high-volume, sensitive patient data to fuel fraud and extortion campaigns.

For defenders, the absence of a specific CVE in the reporting does not reduce the urgency. This confirms an active "Unauthorized Access" threat—likely involving credential compromise, authentication bypass, or web application misconfigurations—resulting in data exfiltration. This post focuses on detecting the behavioral indicators of unauthorized PHI access and securing RCM environments against similar follow-on attacks.

Technical Analysis

Affected Entities & Scope:

  • Medenet: A Revenue Cycle Management (RCM) company. RCMs are high-value targets as they aggregate PHI from multiple providers.
  • United Medical Doctors: A medical provider impacted by the compromise of business associate data.
  • Stewart Home & School: A facility reporting unauthorized access to consumer health information.

Threat Vector: Unauthorized Access / Data Exfiltration.

Attack Chain Analysis: Based on the nature of "unauthorized access" incidents in healthcare, the attack chain typically follows this pattern:

  1. Initial Access: Compromise of valid credentials (phishing, credential stuffing) or exploitation of a web-facing interface (e.g., RCM portal) without multi-factor authentication (MFA).
  2. Persistence: Creation of new webmail accounts or modification of existing user permissions to maintain access to the patient database.
  3. Collection & Exfiltration: Large-scale queries or bulk exports of patient records (names, SSNs, medical records) from the EHR or RCM database.

Exploitation Status: Confirmed. Breach notifications indicate the unauthorized access has already occurred and data was potentially exfiltrated.

Detection & Response

These detection rules focus on the behaviors associated with unauthorized access and data exfiltration from systems holding PHI. Since no specific CVE was disclosed, we hunt for the action of data theft.

Sigma Rules

YAML
---
title: Potential Mass Data Export via Database Utilities
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
status: experimental
description: Detects execution of common database export utilities which may indicate PHI exfiltration during an unauthorized access incident.
references:
  - https://attack.mitre.org/techniques/T1046/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.collection
  - attack.t1046
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\mysqldump.exe'
      - '\pg_dump.exe'
      - '\sqlcmd.exe'
      - '\bcp.exe'
  condition: selection
falsepositives:
  - Legitimate database administrative backups
level: high
---
title: Suspicious PowerShell Web Request Activity
id: b2c3d4e5-6789-01ab-cdef-2345678901bc
status: experimental
description: Detects PowerShell processes making network requests, often used to bypass controls and exfiltrate data in RCM environments.
references:
  - https://attack.mitre.org/techniques/T1059/001/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\powershell.exe'
    CommandLine|contains:
      - 'Invoke-WebRequest'
      - 'IEX'
      - 'DownloadString'
  filter_legit:
    User|contains:
      - 'SYSTEM'
      - 'ADMIN'
  condition: selection and not filter_legit
falsepositives:
  - System management scripts
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for unusual sign-in patterns to RCM or EHR applications
// Identifies successful logins from new IP addresses or risky locations
SigninLogs
| where ResultType == 0
| where AppDisplayName contains "Medenet" or AppDisplayName contains "EHR" or AppDisplayName contains "Patient"
| join kind=anti (
    SigninLogs
    | where Timestamp > ago(30d)
    | summarize by IPAddress, UserId
) on UserId
| project Timestamp, UserPrincipalName, AppDisplayName, IPAddress, Location, DeviceDetail, RiskLevelDuringSignIn
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for recent modifications to files in PHI storage directories
-- This helps identify if files were accessed, copied, or modified during the breach window
SELECT FullPath, Size, Mtime, Atime, Mode, Data
FROM glob(globs="C:\ProgramData\PatientRecords\**\*", accessor="ntfs")
WHERE Mtime > ago(date("-7d")) OR Atime > ago(date("-7d"))

Remediation Script (PowerShell)

PowerShell
# Script to Audit and Lockdown Accounts with excessive privileges
# This helps prevent lateral movement and unauthorized access in RCM environments

# 1. Identify members of high-privilege groups added in the last 30 days
$Groups = @("Domain Admins", "Enterprise Admins", "Schema Admins", "Administrators")
foreach ($Group in $Groups) {
    Write-Host "Auditing recent changes to $Group"
    Get-ADGroupMember -Identity $Group | Get-ADUser -Properties whenCreated | 
    Where-Object { $_.whenCreated -gt (Get-Date).AddDays(-30) } | 
    Select-Object Name, SamAccountName, whenCreated
}

# 2. Check for accounts with Password Never Set that are active (Potential backdoors)
Write-Host "Checking for active accounts with password not required..."
Get-ADUser -Filter {(PasswordNotRequired -eq $true) -and (Enabled -eq $true)} | 
Select-Object Name, SamAccountName, LastLogonDate

# 3. Force MFA Registration Check (Conceptual - triggers Azure AD prompt if configured)
Write-Host "Ensure all users in Medenet security group have MFA enforced via Conditional Access policies."

Remediation

Immediate actions are required to secure the PHI environment and prevent further unauthorized access:

  1. Force Password Resets: Require password resets for all users with access to the RCM portals and EHR systems, specifically focusing on the dates identified in the breach notification window.
  2. Implement Strict MFA: Ensure Multi-Factor Authentication (MFA) is enforced for all remote access, web portals, and VPN connections. Biometric or hardware token MFA is preferred over SMS.
  3. Audit Privileged Access: Review and restrict administrative privileges. Remove dormant accounts and ensure "Least Privilege" principles are applied to database access.
  4. Network Segmentation: Ensure PHI databases and RCM systems are segmented from the general network and strictly firewalled.
  5. Log Review: Conduct a thorough review of access logs for the period of unauthorized access. Identify specific patient records accessed and prepare for notification requirements under HIPAA.

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub

healthcare-cybersecurityhipaa-compliancehealthcare-ransomwareehr-securitymedical-data-breachphi-breachmedenetrcm-security

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action