// first 10 minutes
healthcare data breach — quick-start
healthcare breach — first 10 minutes. scope PHI exposure before notifying. print this, check boxes, then run the primary tools.
checklist
- identify the affected system(s) — EHR, billing platform, imaging archive, or messaging — before declaring scope to legal.
- pull access logs for the affected system for 60 days back — patient record access events, query logs, bulk exports.
- export audit logs for any account that accessed records outside their normal patient population or role.
- check for bulk exports or data downloads from the EHR or data warehouse during the exposure window.
- identify the first anomalous access event — this establishes the breach start date for HIPAA §164.402 notification timelines.
- preserve system logs on read-only media before any patching, migration, or auto-purge runs.
- pull identity provider logs for service accounts and admin accounts with EHR access.
- engage privacy counsel and compliance before notifying HHS OCR or patients — notification timelines differ by breach type.
- note the count of affected individuals, their PHI categories (demographics, diagnoses, financials), and whether any is SSN or payment card data.
- begin the primary tool path below — EHR audit log analyzer and PHI exposure classifier.
primary tools
- 01dicom medical imaging metadata forensic analyzerdrop dicom files · parse metadata tags · extract patient equipment data · detect anonymization failures · runs locally
- 02microsoft access database forensic analyzerdrop mdb or accdb files · parse jet database structure · extract tables · recover deleted records · vba macro scan · runs locally
- 03office365 audit log analyzerdrop m365 unified audit log json or csv · flag inbox forward rules · mailbox forwarding · bulk downloads · global admin role adds · high-scope consent · audit log disabled · runs locally
- 04microsoft 365 unified audit log analyzerdrop m365 unified audit log csv or json export · parse all audit events across exchange sharepoint teams onedrive and azure ad · surface suspicious operations privilege changes and data access events · reconstruct user activity timeline · runs locally
- 05windows event log gap analyzerdrop multiple evtx · merged timeline · logging gaps · clearing events · ransomware prep chains · service persistence hints · runs locally
- 06log ingestion gap and silent host detectordrop siem export or event log collector export · identify machines that stopped sending logs · calculate expected vs actual log volume per host · detect hosts that went dark · flag suspicious silences · runs locally
- 07log file authenticity and integrity scorerdrop any log file · verify internal consistency · line endings · timestamps · detect log injection · fabrication indicators · authenticity score · runs locally
- 08chain of custody gap detectorpaste custody log csv · time gaps over threshold · missing signatures · export findings csv · runs locally