Back to Intelligence

Supply Chain Incident: Lumexa & FMRS Breaches — Third-Party Access Hardening & Detection

SA
Security Arsenal Team
May 22, 2026
6 min read

Introduction

Recent disclosures confirm that Lumexa Imaging and FMRS Health Systems have suffered data breaches stemming from a security incident at a shared third-party vendor. This breach exemplifies the increasing risk of the supply chain attack vector in the healthcare sector. Attackers are no longer just battering down the front door; they are stealing keys from trusted partners to bypass perimeter defenses entirely.

For defenders, this highlights a critical blind spot: vendor visibility. When a diagnostic imaging service provider or a health system is compromised via a vendor, the attacker often gains legitimate access to sensitive environments, making detection difficult. We need to shift our monitoring from just "malicious intent" to "anomalous trusted behavior." Protected Health Information (PHI), including diagnostic images and patient demographics, is at immediate risk.

Technical Analysis

While specific CVEs were not the primary vector in this specific vendor compromise, the attack chain follows a classic third-party exploitation pattern:

  1. Initial Compromise: The threat actor compromises the vendor's environment, likely via phishing, credential stuffing, or an unpatched service external to the healthcare target.
  2. Lateral Movement: Using legitimate credentials (VPN tokens, RDP access, or API keys) provided by the healthcare entity to the vendor, the attacker moves laterally into the target networks (Lumexa/FMRS).
  3. Data Discovery & Exfiltration: Once inside the imaging or health systems network, the attacker locates repositories containing PHI—often PACS (Picture Archiving and Communication System) servers or file shares. They utilize native tools (e.g., robocopy, rclone) to stage and exfiltrate large volumes of data.

Affected Environment:

  • Platforms: Windows Server environments hosting PACS, Electronic Health Records (EHR) interfaces, and file shares.
  • Data Types: DICOM images, PDF medical records, patient PII (Personally Identifiable Information).

Exploitation Status: Confirmed active exploitation resulting in data disclosure. This is not theoretical; the breach notices confirm data has been accessed.

Detection & Response

In a supply chain breach, the attacker looks like a legitimate user. We must hunt for deviations in the volume and context of that user's activity. The following detections focus on identifying mass data access associated with imaging workflows and suspicious process execution by vendor-privileged accounts.

SIGMA Rules

YAML
---
title: Potential Mass DICOM File Access via PowerShell
id: 8d9f1a2b-3c4e-5d6f-7g8h-9i0j1k2l3m4n
status: experimental
description: Detects potential mass enumeration or access of DICOM medical imaging files using PowerShell, often indicative of data staging prior to exfiltration.
references:
  - https://attack.mitre.org/techniques/T1005/
author: Security Arsenal
date: 2025/04/04
tags:
  - attack.collection
  - attack.t1005
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\powershell.exe'
      - '\pwsh.exe'
    CommandLine|contains:
      - '.dcm'
      - '.dicom'
  condition: selection
falsepositives:
  - Legitimate backup scripts or administrative maintenance
level: high
---
title: Suspicious Robocopy Execution from Imaging Server
id: 1a2b3c4d-5e6f-7g8h-9i0j-1k2l3m4n5o6p
status: experimental
description: Detects usage of robocopy with flags indicating data transfer (mirroring/copying) originating from a host likely acting as a PACS or file server.
references:
  - https://attack.mitre.org/techniques/T1041/
author: Security Arsenal
date: 2025/04/04
tags:
  - attack.exfiltration
  - attack.t1041
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\robocopy.exe'
    CommandLine|contains:
      - '/MIR'
      - '/COPYALL'
      - '/E'
  filter_system:
    SubjectUserName: 'SYSTEM'
  condition: selection and not filter_system
falsepositives:
  - Authorized backup operations
level: medium
---
title: Vendor Account Anomalous Remote Login
id: 9f8e7d6c-5b4a-3f2e-1d0c-9b8a7f6e5d4c
status: experimental
description: Detects remote desktop or VPN logins by accounts belonging to known vendor groups outside of typical business hours, a common indicator of compromised supply chain credentials.
references:
  - https://attack.mitre.org/techniques/T1078/
author: Security Arsenal
date: 2025/04/04
tags:
  - attack.initial_access
  - attack.t1078
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    EventID: 4624
    LogonType:
      - 10 # RemoteInteractive
      - 2 # Interactive
    SubjectGroupName|contains:
      - 'Vendor'
      - 'ThirdParty'
      - 'External'
  timeframe: 24h
  condition: selection
falsepositives:
  - Legitimate after-hours emergency maintenance by vendors
level: high

KQL (Microsoft Sentinel / Defender)

Hunts for high-volume file read operations associated with imaging extensions or unusual network egress from internal file servers.

KQL — Microsoft Sentinel / Defender
// Hunt for high volume access to DICOM/Imaging files
DeviceFileEvents
| where FileName endswith ".dcm" 
   or FileName endswith ".dicom"
   or FileName endswith ".nii"
| summarize Count = count(), Files = makeset(FileName) by DeviceName, InitiatingProcessAccountName, InitiatingProcessFolderPath, bin(Timestamp, 1h)
| where Count > 100 // Threshold tuning required based on baseline
| sort by Count desc

// Hunt for suspicious network egress volume from file servers
DeviceNetworkEvents
| where ActionType == "ConnectionAccepted"
| where DeviceName in ("PACS-SRV-01", "FILE-SRV-02") // Replace with known asset names
| summarize TotalBytes = sum(SentBytes + ReceivedBytes) by DeviceName, RemoteIP, RemoteUrl, bin(Timestamp, 1h)
| where TotalBytes > 50000000 // > 50MB threshold
| sort by TotalBytes desc

Velociraptor VQL

Endpoint artifact collection to identify active network connections and processes interacting with medical imaging data directories.

VQL — Velociraptor
-- Hunt for processes accessing DICOM directories or handling high volume files
SELECT Pid, Name, CommandLine, Exe, Username
FROM pslist()
WHERE CommandLine =~ 'dcm' 
   OR Name =~ 'robocopy'
   OR Name =~ 'rclone'

-- Check for established network connections from critical servers
SELECT RemoteAddress, RemotePort, State, Pid, ProcessName
FROM netstat()
WHERE State =~ 'ESTABLISHED'
  AND (RemotePort IN (443, 445, 3389) OR RemotePort > 1024)

Remediation Script (PowerShell)

This script audits local group memberships for vendor accounts to identify privilege creep and reviews recent RDP connections.

PowerShell
# Audit Vendor Privileges and Recent RDP Connections

Write-Host "[+] Auditing Vendor Account Group Memberships..."
$VendorGroups = @("Vendor Access", "Third-Party Admins", "External Support") # Customize groups

Get-LocalGroup | Where-Object { $VendorGroups -contains $_.Name } | ForEach-Object {
    $Group = $_
    $Members = Get-LocalGroupMember -Group $Group.Name
    if ($Members) {
        Write-Host "Group: $($Group.Name)" -ForegroundColor Yellow
        $Members | Format-Table Name, PrincipalSource, SID -AutoSize
    }
}

Write-Host "[+] Checking for recent RDP/Remote interactive logons (Last 24h)..."
$Date = (Get-Date).AddDays(-1)
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624; StartTime=$Date} -ErrorAction SilentlyContinue |
Where-Object {$_.Message -match 'Logon Type:\s*10' -or $_.Message -match 'Logon Type:\s*2'} |
Select-Object TimeCreated, @{N='User';E={$_.Properties[5].Value}}, @{N='SourceIP';E={$_.Properties[19].Value}} |
Format-Table -AutoSize

Write-Host "[+] Audit Complete. Review output for unauthorized accounts."

Remediation

Immediate and medium-term actions are required to secure the supply chain:

  1. Vendor Credential Reset & MFA Enforcement: Assume the vendor's credentials in your environment are compromised. Force a password reset for all vendor accounts and enforce FIDO2 or phishing-resistant MFA. Do not allow SMS or voice codes for high-privilege vendor access.

  2. Network Segmentation: Ensure vendor access is strictly segmented. Vendors should only connect via a Jump Host / Bastion and have access only to the specific subnets required for their duties (e.g., a specific PACS share, not the entire domain).

  3. Implement Just-In-Time (JIT) Access: Move away from standing vendor privileges. Use privileged access management (PAM) solutions to grant vendor access only for the duration of a specific approved ticket.

  4. Egress Filtering: Review firewall logs for data exfiltration from the affected segments. Block outbound internet access from PACS and file servers unless strictly necessary for business operations.

  5. Data Loss Prevention (DLP): Tune DLP policies to alert on large transfers of DICOM files or unstructured PII to unauthorized cloud storage or external IPs.

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub

healthcare-cybersecurityhipaa-compliancehealthcare-ransomwareehr-securitymedical-data-breachthird-party-riskdata-breachhealthcare-security

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action