ShinyHunters, the data extortion group, is threatening to leak 8.8 terabytes of stolen patient data from One Medical, the Amazon-owned primary care provider. That’s not a small breach. That’s nearly nine terabytes of protected health information — patient names, diagnoses, treatment records, insurance details — sitting in the hands of scumbags who will sell it or publish it for leverage.
The question every healthcare IT team should be asking: how did 8.8 TB of patient files leave the building without anyone stopping it?
The Problem: Application-Layer Access Control Doesn’t Stop File-Layer Theft
Most healthcare organizations implement PHI access control at the application layer. Your EHR has a login screen. Your PACS system requires authentication. Your lab system has role-based access. That’s good. That’s required.
But once a user is authenticated to the application, they’re also authenticated to Windows. They have file system permissions. And every program they run — Outlook, Chrome, OneDrive, a script, malware running under their account — inherits those permissions.
If the user can read the PHI files, so can any program running as that user.
Data exfiltration doesn’t happen over the network first. It happens at the file system first. Someone — or something — reads files from disk, then copies them somewhere else. USB drive. Cloud storage. Email attachment. Encrypted archive uploaded to a file-sharing site. The delivery mechanism varies, but the operation is always the same: read file from disk, write file to destination.
HIPAA requires covered entities to implement access controls that limit PHI access to authorized users and programs. Most organizations stop at “authorized users.” They don’t control which programs those users run.
How FileSure Would Have Prevented This
FileSure Defend operates at the Windows kernel level via a filter driver. It intercepts file system operations — open, read, write, create, delete, rename — before they reach the file system. You define policies that specify which programs are allowed to perform which operations on which files.
For One Medical’s patient data, a FileSure policy might look like this:
File Filter: E:\PatientRecords\*.xml (or whatever file type their EHR uses)
Allowed Programs: C:\Program Files\EMR_System\emr.exe
Allowed Operations: Read, Write
Denied Programs: All others
Action on Deny: Block and log
With that policy in place, only the authorized EHR application can read patient record files. If someone tries to open those files with Outlook to attach them to an email — blocked. If they try to copy them to a USB drive using Explorer — blocked. If OneDrive tries to sync the folder — blocked. If a PowerShell script running under a compromised account tries to read and exfiltrate the files — blocked.
The evildoer never gets to the exfiltration step because they can’t complete the read operation. The kernel filter driver denies the file open request before the data is read into memory.
Every denied attempt is logged: user name, machine name, program path, file path, timestamp. Your security team sees the attempt in real time. Your HIPAA audit trail is complete.
The Upstream Intervention
The strongest defense happens at the earliest point in the attack chain. If you prevent the payload from landing on disk, ransomware never runs. If you prevent unauthorized file reads, data exfiltration never starts.
Most DLP tools operate at the network perimeter or email gateway. They try to detect sensitive data in transit — after it’s already been read from disk, after it’s already left the file system. They rely on content inspection, pattern matching, signatures. A password-protected zip file defeats them.
FileSure operates upstream. It controls the file read operation itself. If the program isn’t authorized to read the file, the read doesn’t happen. No data enters memory. No data reaches the network. No content inspection needed.
It’s not detection. It’s prevention.
If you’re responsible for protecting patient data, you need to control file operations at the kernel level. Application-layer security and network-layer DLP are not enough. The file system is where the data lives, and it’s where the theft starts.
Start a free trial at bystorm.com and deploy kernel-level file access control on your PHI systems in under five minutes.
Source: ShinyHunters Data Extortion Group Threatens to Leak 8.8 TB of Stolen One Medical Data
Category: Data Loss Prevention
Tags: data exfiltration, shinyhunters, hipaa, phi protection, kernel filter driver, healthcare data breach, file system security, one medical
