Skip to main content
All playbooks
Playbook

A patient's portal account has been taken over

The attacker is using the portal to view PHI, send refill requests (especially for controlled substances), or impersonate the patient in messages. Triage, contain, and figure out whether this is one account or many.

Last reviewed: May 2026

The first hour

  1. 1If a suspicious portal message arrives — unusual refill request, request to change phone/email, records to a new fax — verify by calling the patient back on the phone number in the chart, not the number in the message.
  2. 2If the patient confirms they did not send it, lock the portal account immediately in the EHR (athenahealth: Patient → Portal → Disable; eClinicalWorks: Portal → Account Status → Lock; Epic MyChart: Patient → MyChart → Deactivate). Document time and reason in the chart.
  3. 3Get the prescriber in the loop within minutes if a controlled-substance refill was requested — the script may already have been sent.
  4. 4If a script was issued, call the pharmacy directly to cancel and hold dispensing. Document the cancellation. Controlled substances escalate to the EPCS playbook.
  5. 5Force a portal password reset for the patient. Do not email the new password — call them. Walk them through enabling MFA if your EHR supports it.
  6. 6Check whether other patients had suspicious activity on the same day from the same IP, if your EHR exposes that data.

Evidence to preserve

What not to delete, what to screenshot, what to log. Do this before recovery starts — most of it disappears as soon as systems are rebuilt.

  • Export the portal access log for the affected account for the last 30 days — views, downloads, messages sent, demographic changes.
  • Screenshot any changes to email, phone, or records-delivery destinations before reverting them.
  • Save copies of every fraudulent message sent from the account, including timestamps and any pharmacy interactions.
  • Document the four-factor breach risk assessment in writing if PHI was viewed.

The HIPAA breach clock

The breach-notification clock starts at discovery. Federal HHS deadline is 60 days; many states are faster.
HHS / patient (federal)
September 5, 2026
60 days from discovery
CA / FL / others
August 6, 2026
30-day state floor
NY / others
August 21, 2026
45-day state floor

Breaches affecting 500+ patients in a single state are reported to HHS and media immediately, not within 60 days. Confirm state-specific timelines with counsel.

Regulator contacts

Frequently asked

Is one portal takeover a HIPAA breach?+

If the attacker viewed labs, downloaded a CCDA, or read clinical notes, yes — PHI was accessed by an unauthorized party. Notify the patient within 60 days with the data elements involved, the date range of unauthorized access, and remediation steps. Run the four-factor risk assessment and document the conclusion either way.

What if our EHR portal does not offer MFA?+

Add it to your vendor-renewal conversation. Portal MFA is now table stakes. In the interim, push patients toward unique passwords, enable any breach-password screening the vendor offers, and monitor for cross-account anomalies on the same IP.

Do we have to assume credentials came from our practice?+

No — most portal ATOs use credentials harvested from breaches at unrelated services. But you should still check whether other patients were touched, and whether your portal exposes signals (IP, user agent) that would tell you if a single attacker is targeting your panel specifically.

Need to walk through this with someone?

Free first call. If we're the right fit, we'll tell you. If we're not, we'll tell you that too.

This page is general guidance, not legal advice. Reading it does not create a Business Associate relationship with HackFirstAid. See scope of use.