Healthcare data breaches can be costly, difficult to resolve, and dangerous for patients. Yet despite the best preventative practices, breaches can still happen, underscoring the critical need for prompt detection and response.

As healthcare organizations are responsible for safeguarding private patient data, swiftly identifying signs of a data breach is essential. If such sensitive information were to fall into the wrong hands, the repercussions could be severe. However, the signs of a healthcare data breach aren’t always obvious. The early signals may seem like routine technology glitches.

To help you and your team better identify them, we’ve outlined some subtle signs of a compromised network below, along with some useful cybersecurity tips.

Locked credentials

Failed login attempts happen to everyone. While one failed login isn’t a red flag, a locked-out account could signal that an intruder is attempting to use your employees’ credentials to log in. This is especially true if more than one employee is getting lockout messages.

The intruder might not be in the system but they may have maxed out your teams’ logins. Or the intruder may already be inside, changing passwords and locking your team out of their accounts. Either way, IT should investigate to see if there are any other signs of a breach.

File changes

File modifications can be a sign of a data breach. Hackers often move, delete, replace, and change files when accessing a system. Noticing those changes can be tricky, however. In healthcare environments, files are used by multiple people, making it difficult to spot modifications.

Here are some other ways threat actors exploit files to breach systems:

  • Inserting malicious files, processes, or applications into the system
  • Installing seemingly legitimate and common-use applications that are unfamiliar or not typically used in your environment and carry hidden malicious intent
  • Pointing encrypted or corrupted files to malware
  • Copying the entire system in preparation for stealing a large amount of data
  • Conducting enumerations that involve querying or dumping information about security groups, user accounts, and administrative privileges, as well as performing network scans

When an employee detects any suspicious changes to files, they should immediately report these observations. The IT team will likely need to freeze activities on the affected device or cloud to investigate the suspicious files thoroughly.

Abnormal user activity

It doesn’t matter what their role is in your healthcare organization; employees are creatures of habit. They often use their accounts for the same activities every day. Any user activity that looks different from the daily norm may signal an attack.

Abnormal user activity can look like:

  • Login activity outside of office hours (such as in the middle of the night)
  • User / Network activity to or from another city, state, or country
  • Unplanned password changes
  • Logins from multiple devices at once
  • Logins from multiple locations at once
  • Accessing systems that a username normally doesn’t access
  • Services not usually accessed by that user such as RDP sessions when the employee is usually on-premises
  • Execution of higher-level functions such as PowerShell

The takeaway is that any suspicious user activity should be tracked, even if it appears to come from a legitimate source. Setting up alerts for atypical activity can help your organization stop malicious actors

Device tampering

While most signs of a breach are subtle, there are times when evidence of an attack is obvious.

Device tampering, for example, can be relatively easy to spot. Indicators include coming back to a device that’s not as you left it. A computer that’s turned on when you’re pretty sure it was turned off at the end of a shift. Devices that have been moved, settings that have been changed, and windows left open. Any tampering signals that someone else has been using a device, possibly accessing sensitive data.

Device tampering may manifest in the following ways:

  • Disabling or compromising security defenses, including antivirus software
  • Endpoint Detection and Response (EDR) systems and similar protective measures
  • Enabling previously disabled services such as RDP
  • Unplanned creation/modification of GPOs in a domain controller

Unauthorized device use can expose sensitive patient and organizational data, so it’s crucial that, upon detecting any signs of tampering, your team responds immediately and decisively to protect this confidential information.

Here are some important steps to take:

  • Immediately check the device’s system and event logs (exporting them for preservation may be necessary)
  • Connect non-managed systems to the network
  • Make sure all device user accounts are protected with strong passwords and multifactor authentication
  • Ensure passwords are changed on affected devices or accounts
  • Refresh employees’ knowledge of security protocols. All employees should know information security best practices, and know how to report a security incident.

Atypical outbound traffic

Typical outbound web traffic in a healthcare organization is fairly predictable. It usually includes patient communications, billing, equipment orders, and similar activities. However, if you see something different, it may be a sign of a breach. Bad actors often use outbound web traffic to send stolen data and communicate with external parties.

Warning signs include:

  • Unusually large volume of outbound traffic
  • An unexpected destination
  • Activity that simply looks different than usual, such as through an uncommon utility otherwise common to your network

If abnormal traffic is found, all activity should be frozen until the transmission is investigated.

Slow loading times

A slow internet connection and sluggish endpoint are never welcome at work. A lag may be more than just a nuisance, however. For example, malware can slow down a device’s processing speed. If a device or network is experiencing unusually slow loading times, that may indicate an attack.

Make sure employees know to report slow loading times to the IT department. Even if it doesn’t seem suspicious, a scan might reveal an unauthorized application, an attack, or a data breach.

Computer glitches

Many malfunctions seem innocuous but may be a sign of something more serious. For example, compromised computers may show frequent pop-up messages (often from internet browsers or antivirus software) and systems may unexpectedly freeze or shut down.

Employees may also notice new files, toolbars, or settings on the computer itself or a web browser. In some cases, the computer might seem as if it’s being controlled by someone else.

When an employee notices a glitch, they should stop all activity immediately and contact IT. “Glitches” like pop-ups are intended to bait users into clicking on malicious links, they should not interact with those windows. Otherwise, more data could be exposed.

Web browser redirects

Signs of an attack can also show up in web browsers. For instance, if a website redirects an employee, that may be a sign the site is compromised. Other signs include constant pop-ups and unusual search results.

Employees should never try to fix this issue themselves, even if they are completing an important task. The best course of action is to immediately report the issues to the IT team.

Tracking healthcare breaches

The first signs of a data breach are rarely obvious. Bad actors have a vested interest in going undetected. And the longer they’re able to linger in your system unnoticed, the more they can steal.

While it can be tricky to track the activity of a busy healthcare organization’s network, you have a secret weapon: your employees. If staff are trained to quickly spot the signs of a breach and report it, your organization is better positioned to minimize the damage caused by an intruder.

Another powerful practice that can help healthcare organizations reduce their risk of a breach is penetration testing. Watch our on-demand webinar to learn why it’s so important for healthcare leaders to rethink how they approach pen testing.


This blog post was originally published in May 2021 and has been updated to reflect the latest developments and to ensure accuracy.