The front desk's email account was taken over
Once inside, attackers send spoofed records requests, payroll-redirect emails to the practice administrator, and patient-impersonation messages aimed at controlled-substance refills.
The first hour
- 1Force a password reset and revoke all active sessions for the compromised account.
- 2Re-enroll MFA from scratch. App-based or hardware key — not SMS.
- 3Pull the audit log: forwarding rules, inbox rules, sent items, accessed files, OAuth app grants. Attackers commonly add a hidden rule that forwards every message containing 'invoice' or 'records request' to an external address.
- 4Notify every recipient of suspicious messages sent in the last 14 days. Real people you trust, not a mass email.
- 5Check payroll and AP: any change requests in the last 30 days that came from this account need to be confirmed by phone with the requestor.
- 6Review all records released in the last 30 days. Any release that came via an emailed request from this mailbox is a candidate for the breach assessment.
Evidence to preserve
What not to delete, what to screenshot, what to log. Do this before recovery starts — most of it disappears as soon as systems are rebuilt.
- Export the full audit log: sign-ins, IP addresses, mailbox rules created, OAuth grants, mail items accessed.
- Screenshot any suspicious inbox rules BEFORE deleting them — the rule itself is evidence.
- Save copies of every fraudulent message sent from the account, including headers.
- Document the 14-day list of external recipients who received suspicious messages.
The HIPAA breach clock
Breaches affecting 500+ patients in a single state are reported to HHS and media immediately, not within 60 days. Confirm state-specific timelines with counsel.
Regulator contacts
- HHS OCR Breach Portal
- FBI IC3 (BEC / wire-fraud reporting)
- State AG breach notification (varies by state)
- Your cyber insurer hotline: add your carrier's 24/7 IR phone number here and post it at the front desk. Most claims require notice within 72 hours.
Frequently asked
Is a takeover of one staff email a HIPAA breach?+
Yes, if the mailbox contained PHI — and front-desk mailboxes almost always do (records requests, prior auths, lab callbacks, referral chains). Default to assuming PHI exposure until the audit log proves otherwise.
How fast do we report?+
The 60-day Breach Notification clock starts at discovery. State law may be faster (30 or 45 days in CA, FL, several others). HHS notification is concurrent with patient notification, and immediate for breaches affecting 500+ patients in a jurisdiction.
What about the OAuth app grants?+
An attacker who installs an OAuth app keeps mailbox access after the password reset. Always review and revoke unknown app grants in the M365 / Google admin console as part of recovery. Most practices forget this step.
Free first call. If we're the right fit, we'll tell you. If we're not, we'll tell you that too.
This page is general guidance, not legal advice. Reading it does not create a Business Associate relationship with HackFirstAid. See scope of use.
Related playbooks
If the device was encrypted and you can prove it, HIPAA's safe-harbor provision often means no breach notification. If you can't prove encryption, the law presumes a breach.
EHR, scheduling, e-prescribing, eligibility, payment posting — all dark while the waiting room fills up. The first hour is patient safety, then operations, then the HIPAA clock.