healthcare data breach — methodology

what evidence exists and how fast it dies

the first 10 minutes

1. isolate compromised accounts — disable sync tokens before more phi leaves via onedrive or sharepoint.
2. preserve dicom exports and registry files from suspect paths — hash before any analyst opens them.
3. pull m365 unified audit for the account and ip — 14 days back minimum.
4. collect security.evtx from pacs / imaging hosts before reboot or log rotation.
5. check siem ingestion for silence on imaging hosts during the reported window.
6. document who collected what, when, and where — first custody row goes in now.
7. flag any export labeled de-identified — dicom metadata may still carry phi tags.
8. search for event 1102 (audit cleared) and vssadmin shadow delete on imaging servers.
9. notify privacy officer with a factual timeline — not a patient count yet.
10. begin the path below.

the path

1. 1. dicom metadata forensics

   exported .dcm studies. surfaces patient name, mrn, dob, and accession tags even when the export label says de-identified.why first: phi scope starts with what actually left the pacs — metadata tags survive long after the viewer strips pixels.

2. 2. access database forensics

   legacy .mdb patient registry. reads tblPatients, bulk-export queries, AutoExec strings, and last-modified tables.why second: flat-file registries hold row counts and query history that ehr audit exports miss.

3. 3. office365 audit log analyzer

   unified audit json export. flags SharePoint FileDownloaded bursts, OneDrive sync spikes, and suspicious search queries.why third: cloud exfil often rides legitimate sync — volume and source ip matter more than a single download event.

4. 4. microsoft365 audit log analyzer

   same ual export with alternate field normalization. cross-checks operation names, workload, and client ip across records.why fourth: parser differences catch records the first pass drops — run both before you close the exfil window.

5. 5. log gap analyzer

   security.evtx from pacs or imaging hosts. detects contiguous silence, event 1102 audit cleared, and vssadmin shadow deletes.why fifth: attackers clear local logs before siem catches up — the gap is often the only proof of the export window.

6. 6. log ingestion gap detector

   siem forwarder csv vs peer hosts. compares FISCHER-PACS-01 silence duration against baseline ingestion rates.why sixth: host-level clearing does not always show in the dashboard — ingestion gaps reveal what the siem never received.

7. 7. log authenticity scorer

   exported audit trail text. scores out-of-order timestamps, mixed crlf, and injection markers against expected format.why seventh: tampered exports undermine notification scoping — authenticity flags go to counsel before you cite row counts.

8. 8. chain of custody gap detector

   evidence handoff csv. flags gaps over 24 hours, unsigned transfers, and missing collector identity between collection and analysis.why last: phi cases face downstream scrutiny — custody breaks do not change the breach but they change what holds up in review.

common false leads

• export labeled de-identified means no phi — dicom metadata tags often survive de-identification workflows.
• one patient chart accessed equals one individual affected — bulk registry queries and study exports scale scope.
• m365 audit is complete because the portal shows records — ual retention gaps and cleared host logs hide windows.
• siem silence means no activity — ingestion gaps mask pacs events that never reached the dashboard.
• legacy access db is out of scope because ehr is modern — flat-file registries still hold row counts and export history.
• chain of custody is paperwork for court — custody gaps undermine notification scoping reviews and downstream audits.

what we can tell you, what we can't

we can tell you:

• phi tags present in dicom metadata vs de-identification claims
• bulk-export query patterns and table row counts in access registries
• sharepoint / onedrive download volume and source ip from ual exports
• contiguous evtx silence, audit-cleared events, and siem ingestion gaps vs peers
• audit trail authenticity signals and chain-of-custody gap flags

we can't tell you:

• whether hipaa breach notification is required — counsel and privacy officer determine that
• exact affected individual count when logs are incomplete — gaps produce lower bounds only
• live ehr or pacs queries — you bring exports; nothing leaves the browser
• regulatory filing deadlines or state add-on requirements — compliance and legal territory

handing it off

• privacy officer / compliance: factual notification scoping inputs — phi element categories found in dicom/registry artifacts, systems and accounts involved, first/last timestamp bounds from ual and host logs, and explicit flags where log gaps prevent a firm patient count. this is investigation output, not legal advice on whether notification is required.
• legal counsel: timeline with log integrity issues annotated (audit cleared, ingestion silence, tampered export markers, custody gaps). counsel applies regulatory tests — we supply defensible facts.
• it / security: compromised account list, imaging host iocs, siem forwarder repair, and preserved evtx / ual exports for extended retention holds.
• law enforcement / ocr: if criminal referral or hhs reporting is pursued — representative artifact set, ip and account attribution, and a gap map showing what the logs cannot prove.

further reading

• HHS OCR · breach notification overview
• CISA · healthcare sector cybersecurity
• MITRE ATT&CK · data from information repositories

reference investigation