HackFirstAidMedical
All playbooks
Playbook

The front desk's email account was taken over

Once inside, attackers send spoofed records requests, payroll-redirect emails to the practice administrator, and patient-impersonation messages aimed at controlled-substance refills.

The first hour

  1. 1Force a password reset and revoke all active sessions for the compromised account.
  2. 2Re-enroll MFA from scratch. App-based or hardware key — not SMS.
  3. 3Pull the audit log: forwarding rules, inbox rules, sent items, accessed files, OAuth app grants. Attackers commonly add a hidden rule that forwards every message containing 'invoice' or 'records request' to an external address.
  4. 4Notify every recipient of suspicious messages sent in the last 14 days. Real people you trust, not a mass email.
  5. 5Check payroll and AP: any change requests in the last 30 days that came from this account need to be confirmed by phone with the requestor.
  6. 6Review all records released in the last 30 days. Any release that came via an emailed request from this mailbox is a candidate for the breach assessment.

Frequently asked

Is a takeover of one staff email a HIPAA breach?+

Yes, if the mailbox contained PHI — and front-desk mailboxes almost always do (records requests, prior auths, lab callbacks, referral chains). Default to assuming PHI exposure until the audit log proves otherwise.

How fast do we report?+

The 60-day Breach Notification clock starts at discovery. State law may be faster (30 or 45 days in CA, FL, several others). HHS notification is concurrent with patient notification, and immediate for breaches affecting 500+ patients in a jurisdiction.

What about the OAuth app grants?+

An attacker who installs an OAuth app keeps mailbox access after the password reset. Always review and revoke unknown app grants in the M365 / Google admin console as part of recovery. Most practices forget this step.

Need to walk through this with someone?

Free first call. If we're the right fit, we'll tell you. If we're not, we'll tell you that too.

Book a call

This page is general guidance, not legal advice. Reading it does not create a Business Associate relationship with HackFirstAid. See scope of use.