Back to Intelligence

Washington DSHS Insider Breach: Defending Against Unauthorized PHI Access and Data Exfiltration

SA
Security Arsenal Team
June 30, 2026
3 min read

Introduction

The Washington Department of Social and Health Services (DSHS) disclosed a significant security incident affecting 8,600 individuals, stemming from an insider data breach. Unlike external ransomware or supply chain attacks, this incident involved unauthorized access to protected health information (PHI) by an individual with internal credentials. This highlights a critical blind spot for many organizations: the threat posed by privileged insiders or compromised legitimate accounts accessing sensitive data for non-business purposes.

For defenders, this serves as a stark reminder that perimeter defenses are insufficient against actors who already possess the keys to the kingdom. The risk involves severe HIPAA violations, identity theft for patients, and erosion of public trust. Immediate action is required to audit access controls, detect anomalous data access patterns, and enforce the principle of least privilege.

Technical Analysis

  • Affected Platforms: State Healthcare Systems / Electronic Health Record (EHR) Databases. (Specific vendor details were not disclosed in the initial alert, but the vector involves internal systems housing PHI).
  • CVE Identifier: N/A (This is an insider breach/policy violation, not a software vulnerability exploitation).
  • Attack Chain:
    1. Access: An authenticated insider (or an account compromised via credential theft) accesses sensitive records.
    2. Discovery/Exfiltration: The actor queries or views records outside their assigned caseload or jurisdiction. This may involve bulk exports or sequential access to thousands of records.
    3. Exfiltration: Data is likely exfiltrated via email, cloud storage uploads, or removable media (USB).
  • Exploitation Status: Confirmed active exploitation. This is a verified breach involving actual data exposure, requiring immediate incident response and forensic analysis of access logs.

Detection & Response

Detecting insider threats requires a shift from signature-based detection to behavioral analytics. Defenders must look for deviations from baseline activity, such as accessing an unusually high volume of records, accessing records of patients not assigned to the user, or data transfer activity outside of business hours.

SIGMA Rules

YAML
---
title: Potential Mass PHI Access via Sensitive Folders
id: 8a1b2c3d-4e5f-6789-0a1b-2c3d4e5f6789
status: experimental
description: Detects potential mass access or modification of files in sensitive directories common in healthcare environments (e.g., PHI shares).
references:
  - https://attack.mitre.org/techniques/T1083/
author: Security Arsenal
date: 2026/04/15
tags:
  - attack.collection
  - attack.t1083
logsource:
  category: file_access
  product: windows
detection:
  selection:
    TargetFilename|contains:
      - '\PHI_Share\'
      - '\Patient_Records\'
      - '\EHR_Export\'
  condition: selection
timeframe: 5m
falsepositives:
  - Authorized bulk backups or administrative maintenance
level: high
---
title: Potential Data Staging via Compression Tools
id: 9b2c3d4e-5f6a-7890-1b2c-3d4e5f67890a
status: experimental
description: Detects the use of common compression or archiving tools often used to stage data for exfiltration by insiders.
references:
  - https://attack.mitre.org/techniques/T1560/
author: Security Arsenal
date: 2026/04/15
tags:
  - attack.collection
  - attack.t1560.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\winrar.exe'
      - '\7z.exe'
      - '\winzip64.exe'
    CommandLine|contains:
      - ' -a'
      - ' -z'
  filter:
    User|contains:
      - 'ADMIN'
      - 'SYSTEM'
      - 'BACKUP'
  condition: selection and not filter
falsepositives:
  - Legitimate user archiving of personal files
level: medium

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for high-volume file access indicating potential bulk data exfiltration
DeviceFileEvents
| where Timestamp > ago(7d)
| where FolderPath has "PHI" or FolderPath has "Patient" or FileName has_any (".csv", ".xlsx", ".mdb", ".bak")
| summarize Count = count() by DeviceName, InitiatingProcessAccountName, FolderPath
| where Count > 50 // Threshold for suspicious bulk activity
| order by Count desc
| project DeviceName, Account=InitiatingProcessAccountName, FolderPath, Count, Timestamp

Velociraptor VQL

VQL — Velociraptor
-- Hunt for recent creation of archive files in user profiles or temp folders
SELECT FullPath, Size, Mtime, Sys.account
FROM glob(globs="""C:\Users\*\*.zip""
mdrthreat-huntingendpoint-detectionsecurity-monitoringinsider-threathealthcarephihipaa

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action