In November 2025, The Oncology Institute (TOI) disclosed a significant security incident stemming from a third-party software provider. This breach resulted in the unauthorized access and potential exfiltration of sensitive patient information. While the investigation into the vendor's environment is ongoing, the incident highlights a critical reality for healthcare defenders: your perimeter is only as strong as your weakest vendor link.
For SOC analysts and CISOs, this is not just a headline; it is a warning indicator. Supply chain compromises in healthcare are often the initial access vector for ransomware operations or large-scale PHI theft. This post provides a technical breakdown of the attack mechanics associated with third-party compromises and delivers actionable detection logic and hardening steps to secure your ecosystem against similar intrusions.
Technical Analysis
Affected Products & Platforms:
- Target: The Oncology Institute Network (Healthcare Delivery Organization - HDO).
- Vector: Third-Party Software Provider (Supply Chain).
- Platform: Windows-based infrastructure (typical for HDOs supporting EHR/EMR integration).
Threat Overview: Although the specific CVE identifier has not been publicly released as of the November 2025 disclosure, the attack pattern is consistent with Supply Chain Compromise and Initial Access via Trusted Relationship (MITRE ATT&CK T1195). In these scenarios, attackers compromise a vendor's remote access tool, VPN credentials, or software update mechanism to pivot into the target network.
Attack Chain:
- Vendor Compromise: The third-party software provider is breached, likely via credential harvesting or exploitation of a public-facing vulnerability.
- Lateral Movement: Threat actors use the vendor's legitimate credentials or trusted software tunnels to bypass the HDO's firewall and access internal systems.
- Discovery & Collection: Attackers move laterally to locate databases or file servers containing Protected Health Information (PHI).
- Exfiltration: Data is staged and exfiltrated, often masked as large encrypted archives or standard administrative traffic.
Exploitation Status:
- Confirmed Active Exploitation: Yes. The breach at The Oncology Institute has been confirmed, and the vendor's investigation is active.
- CISA KEV Status: Pending specific CVE publication.
Detection & Response
Defending against third-party compromises requires monitoring for anomalies in privileged access and data movement patterns. Below are detection rules and hunts tailored to identify the signs of a supply chain breach in a healthcare environment.
SIGMA Rules
---
title: Potential Vendor Account Interactive Logon
id: 8a1b2c3d-4e5f-6789-0123-456789abcdef
status: experimental
description: Detects interactive logons (Type 2 or 10) from accounts matching vendor naming conventions or external group memberships, which may indicate misuse of third-party credentials.
references:
- https://attack.mitre.org/techniques/T1078/
author: Security Arsenal
date: 2025/11/01
tags:
- attack.initial_access
- attack.t1078
logsource:
product: windows
service: security
detection:
selection:
EventID: 4624
LogonType:
- 2 # Interactive
- 10 # RemoteInteractive
LogonType|contains:
- 'Vendor'
- 'Support'
- 'Admin'
filter_legit:
UserName|contains:
- 'LocalAdmin'
- 'Administrator'
falsepositives:
- Legitimate vendor maintenance activities
level: high
---
title: Suspicious PowerShell Data Staging
id: 9b2c3d4e-5f6a-7890-1234-567890abcdef
status: experimental
description: Detects PowerShell commands often used to stage data for exfiltration, such as compression (Compress-Archive) or large file recursion, commonly seen in PHI theft.
references:
- https://attack.mitre.org/techniques/T1005/
author: Security Arsenal
date: 2025/11/01
tags:
- attack.collection
- attack.t1005
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\powershell.exe'
CommandLine|contains:
- 'Compress-Archive'
- 'Copy-Item -Recurse'
- 'Invoke-WebRequest'
condition: selection
falsepositives:
- Administrative backup scripts
level: medium
---
title: High Volume Egress to Non-Standard Ports
id: 0c3d4e5f-6a7b-8901-2345-678901abcdef
status: experimental
description: Detects network connections with high byte counts sent to non-standard ports or external IPs, indicative of data exfiltration.
references:
- https://attack.mitre.org/techniques/T1041/
author: Security Arsenal
date: 2025/11/01
tags:
- attack.exfiltration
- attack.t1041
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: true
DestinationPort|not:
- 443
- 80
- 53
filter_noise:
DestinationIsIpv6: 'false'
condition: selection | not filter_noise
falsepositives:
- Legitimate cloud backup traffic
level: high
KQL (Microsoft Sentinel / Defender)
// Hunt for third-party vendor logons outside of business hours
// Adjust the 'VendorName' and 'BusinessHours' variables to fit your environment
let VendorAccounts = Dynamic(["*Vendor*", "*Support*", "*Contractor*"]);
let BusinessHours = bin(now(), 1h);
SecurityEvent
| where EventID == 4624
| where LogonType in (2, 10) // Interactive or RemoteInteractive
| where TimeGenerated > ago(7d)
| parse tostring(TargetUserName) with Account "\\" User
| where User has_any (VendorAccounts)
| project TimeGenerated, Computer, Account, User, IpAddress, WorkstationName
| summarize count() by User, IpAddress, bin(TimeGenerated, 1h)
| where count_ > 5 // Threshold for multiple logons
| order by TimeGenerated desc
Velociraptor VQL
-- Hunt for established network connections to external IPs
-- and processes associated with common admin tools
SELECT
Pid,
Name,
CommandLine,
Laddr.IP AS LocalIP,
Raddr.IP AS RemoteIP,
Raddr.Port AS RemotePort,
State
FROM netstat()
WHERE State = 'ESTABLISHED'
AND NOT Raddr.IP IN ('127.0.0.1', '::1', '0.0.0.0')
AND (
-- Look for common webshells or admin tools
Name =~ 'powershell.exe'
OR Name =~ 'cmd.exe'
OR Name =~ 'w3wp.exe'
)
-- Flag non-standard ports
AND Raddr.Port NOT IN (80, 443, 22)
Remediation Script (PowerShell)
<#
.SYNOPSIS
Audit and Disable Inactive Third-Party Vendor Accounts.
.DESCRIPTION
This script scans Active Directory for accounts matching a 'Vendor' description
or naming convention and disables them if they have not logged in within 90 days.
This is a crucial step to contain supply chain risks.
#>
Import-Module ActiveDirectory
$InactiveDays = 90
$VendorKeywords = @("Vendor", "Contractor", "Support", "ThirdParty")
$TimeThreshold = (Get-Date).AddDays(-$InactiveDays)
$ReportPath = ".\Vendor_Account_Audit_$(Get-Date -Format yyyyMMdd).csv"
Write-Host "[*] Starting Vendor Account Audit..."
$VendorUsers = Get-ADUser -Filter * -Properties Description, LastLogonDate, Enabled |
Where-Object {
$_.Enabled -eq $true -and
($_.Description -match ($VendorKeywords -join '|') -or $_.SamAccountName -match ($VendorKeywords -join '|'))
}
$ActionTaken = @()
foreach ($User in $VendorUsers) {
if ($User.LastLogonDate -lt $TimeThreshold -or $null -eq $User.LastLogonDate) {
Write-Host "[!] Disabling inactive account: $($User.SamAccountName) (Last Logon: $($User.LastLogonDate))" -ForegroundColor Yellow
try {
Disable-ADAccount -Identity $User.SamAccountName
$ActionTaken += [PSCustomObject]@{
Username = $User.SamAccountName
Status = 'Disabled'
Reason = 'Inactive > 90 days'
}
}
catch {
Write-Host "[-] Failed to disable $($User.SamAccountName): $_" -ForegroundColor Red
}
}
}
if ($ActionTaken.Count -gt 0) {
$ActionTaken | Export-Csv -Path $ReportPath -NoTypeInformation
Write-Host "[*] Audit complete. Report saved to $ReportPath"
} else {
Write-Host "[*] No inactive vendor accounts found."
}
Remediation
To mitigate the risks associated with third-party compromises similar to the The Oncology Institute incident, implement the following defensive measures immediately:
-
Enforce Zero Trust Network Access (ZTNA): Remove implicit trust for vendor connections. Vendors should only access specific resources required for their role, not the entire network segment. Implement micro-segmentation around PHI databases.
-
Vendor Risk Management (VRM) Audit: Immediately request a formal security posture review (SOC 2 Type II, ISO 27001, or penetration test results) from all third-party software providers with access to sensitive data.
-
MFA for All External Access: Ensure that all third-party access is protected by phishing-resistant Multi-Factor Authentication (MFA). Disable static VPN credentials for vendors in favor of device-aware conditional access policies.
-
User Behavior Analytics (UBA): Deploy UBA rules to alert on "impossible travel" scenarios where a vendor account is accessed from two geographically disparate locations simultaneously.
-
Egress Filtering: Configure firewalls to block outbound traffic from critical servers (EHR/EMR) to the internet unless strictly necessary (e.g., via a secure proxy).
Vendor Advisory: Monitor updates from The Oncology Institute and their third-party vendor for the specific IoCs (Indicators of Compromise) related to this breach. If you utilize the same third-party software, assume compromise until proven otherwise.
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.