A patient's portal account has been taken over
The attacker is using the portal to view PHI, send refill requests (especially for controlled substances), or impersonate the patient in messages. Triage, contain, and figure out whether this is one account or many.
The first hour
- 1If a suspicious portal message arrives — unusual refill request, request to change phone/email, records to a new fax — verify by calling the patient back on the phone number in the chart, not the number in the message.
- 2If the patient confirms they did not send it, lock the portal account immediately in the EHR (athenahealth: Patient → Portal → Disable; eClinicalWorks: Portal → Account Status → Lock; Epic MyChart: Patient → MyChart → Deactivate). Document time and reason in the chart.
- 3Get the prescriber in the loop within minutes if a controlled-substance refill was requested — the script may already have been sent.
- 4If a script was issued, call the pharmacy directly to cancel and hold dispensing. Document the cancellation. Controlled substances escalate to the EPCS playbook.
- 5Force a portal password reset for the patient. Do not email the new password — call them. Walk them through enabling MFA if your EHR supports it.
- 6Check whether other patients had suspicious activity on the same day from the same IP, if your EHR exposes that data.
Evidence to preserve
What not to delete, what to screenshot, what to log. Do this before recovery starts — most of it disappears as soon as systems are rebuilt.
- Export the portal access log for the affected account for the last 30 days — views, downloads, messages sent, demographic changes.
- Screenshot any changes to email, phone, or records-delivery destinations before reverting them.
- Save copies of every fraudulent message sent from the account, including timestamps and any pharmacy interactions.
- Document the four-factor breach risk assessment in writing if PHI was viewed.
The HIPAA breach clock
Breaches affecting 500+ patients in a single state are reported to HHS and media immediately, not within 60 days. Confirm state-specific timelines with counsel.
Regulator contacts
- HHS OCR Breach Portal
- FBI IC3 (identity fraud / pharmacy fraud)
- State AG breach notification (varies by state)
- Your cyber insurer hotline: add your carrier's 24/7 IR phone number here and post it at the front desk. Most claims require notice within 72 hours.
Frequently asked
Is one portal takeover a HIPAA breach?+
If the attacker viewed labs, downloaded a CCDA, or read clinical notes, yes — PHI was accessed by an unauthorized party. Notify the patient within 60 days with the data elements involved, the date range of unauthorized access, and remediation steps. Run the four-factor risk assessment and document the conclusion either way.
What if our EHR portal does not offer MFA?+
Add it to your vendor-renewal conversation. Portal MFA is now table stakes. In the interim, push patients toward unique passwords, enable any breach-password screening the vendor offers, and monitor for cross-account anomalies on the same IP.
Do we have to assume credentials came from our practice?+
No — most portal ATOs use credentials harvested from breaches at unrelated services. But you should still check whether other patients were touched, and whether your portal exposes signals (IP, user agent) that would tell you if a single attacker is targeting your panel specifically.
Free first call. If we're the right fit, we'll tell you. If we're not, we'll tell you that too.
This page is general guidance, not legal advice. Reading it does not create a Business Associate relationship with HackFirstAid. See scope of use.
Related playbooks
DEA 21 CFR Part 1311 applies on top of HIPAA. The prescriber's DEA registration is on the line — revocation or suspension is possible in addition to any HIPAA breach implications. The playbook nobody else publishes.
Once inside, attackers send spoofed records requests, payroll-redirect emails to the practice administrator, and patient-impersonation messages aimed at controlled-substance refills.