It Will Happen, So Plan for It
Stolen-credential dumps are a constant feature of the modern threat landscape. Aggregator sites and breach-monitoring services index billions of email-and-password pairs harvested from compromises of every imaginable third-party site — retailers, forums, productivity tools, even children's games. If your staff use their work email to register for non-work services (and most of them do), then statistically, sooner or later, a work-domain credential will appear in one of those dumps.
That moment is not by itself a HIPAA breach. It can become one very quickly if you do not have a response playbook ready.
What “Showed Up on the Dark Web” Actually Means
When a credential monitoring service reports a hit, what you are seeing is one of three scenarios:
Scenario A: Old password, no longer in use
The employee registered for a third-party site years ago using their work email and a password they no longer use anywhere. The risk is low — but only if you can verify it.
Scenario B: Old password, reused for current systems
The employee registered for a third-party site using a password that they have also used (or are still using) for work systems. This is the dangerous scenario. The attacker now has a working credential against your environment without needing to phish anyone.
Scenario C: Recent and active
The breach is recent, and the password is the one the employee is using right now. This is an active intrusion path. Treat it as an incident in progress.
A good monitoring service will give you the breach source and the date, which lets you make a fast initial judgment about which scenario you are in. If you cannot tell, default to Scenario B.
The First 60 Minutes
Whatever the scenario, the first hour follows the same script.
Minute 0 to 10: Force the password reset
Reset the affected employee's password on every primary system: SSO provider, EHR, email, VPN, practice management. If you have SSO, one reset cascades to most of these. Revoke active sessions where the system supports it.
Minute 10 to 30: Verify MFA is hard
Confirm that MFA is enabled on every system that supports it for that user. If MFA is SMS-based, this is the moment to upgrade to an authenticator app or hardware key — not in three months. SMS MFA is bypassable via SIM swap, which is exactly the next move an attacker who has bought a credential dump tries.
Minute 30 to 60: Check for prior-use evidence
Look at recent successful logins for the affected account. Pay attention to:
- Logins from unfamiliar IP addresses or geographies.
- Logins outside the user's normal hours.
- Unusual patterns: bulk record access, large exports, configuration changes.
- OAuth or app-password grants the user does not recognize.
If you find any of these, the incident has escalated and you need to engage your incident response procedures (and likely your breach counsel) immediately.
The First 24 Hours
Once the immediate exposure is contained, you have a longer list to work through.
- Talk to the employee. Ask what other systems they may have used the same or similar password on. The honest answer is almost always “more than I want to admit.” That is fine. The point is to identify them so they can be reset.
- Review the audit log for the prior 90 days. Look for any anomalies you may have missed in the first hour.
- Check for forwarding rules. A common attacker move after a credential compromise is to set up a forwarding rule to siphon mail to an external address. Audit mailbox rules for the affected user.
- Document the response. Date, time, source of the alert, scenario classification, steps taken, who took them, outcome. This is the artifact that proves you ran a real process.
- Decide on a breach assessment. A leaked credential is not automatically a HIPAA breach — but if you find any evidence of unauthorized access to PHI, the four-factor breach risk assessment kicks in. Run it, document it, and involve counsel if the conclusion is anywhere near the line.
The First 30 Days
Most of the long-term value of a credential incident comes from how you use the lessons.
- Re-train the affected employee. Not as punishment — as reinforcement. Use the incident as the teaching example.
- Re-evaluate password reuse policy. If reuse is even possible (i.e., if employees are still managing dozens of passwords on their own), deploy a password manager.
- Add the affected systems to a watch list. Increase login monitoring sensitivity for the next 30 to 60 days.
- Review your wider exposure. Run a fresh credential check against every employee's email, not just the one who triggered the alert. The same dump probably has more of your domain in it.
Pre-Building the Playbook
Most of the response work above can — and should — be pre-built before any alert ever fires. Concretely:
- A named incident commander for credential alerts. Not “the IT person.” A specific name with a specific backup.
- A runbook with the exact reset paths for each system, including who to contact at the vendor if something goes wrong.
- A pre-drafted communication template for the affected employee that explains what happened, what you are doing, and what they need to do.
- A breach assessment template ready to be filled in if escalation is required.
- A standing relationship with breach counsel so the first call is not a cold call.
What Continuous Monitoring Buys You
The whole playbook above depends on knowing about the leak in the first place. Practices that rely on the affected employee to mention “hey I got an email from my bank about a breach” learn about leaks weeks or months too late. Continuous credential monitoring — matching your employees' work email domains against breach corpuses on an automated schedule — is the difference between a one-hour response and a one-month one.
HIPAA Security Suite's NSS Credential Monitor runs that match continuously and routes hits to the compliance owner's inbox the day they appear. The playbook above is what you run when the alert lands.
What OCR Looks For
If a credential leak ever turns into a breach you have to report, OCR will ask three things: How did you find out? What did you do in the first 24 hours? Why are you confident the exposure has been contained? A practice that can answer those three questions with timestamps and named owners is in a fundamentally different position than one that cannot. Build the playbook now, in calm conditions, and the answer to those questions writes itself.
Call to Action
Talk to us about turning on continuous credential monitoring as part of your HIPAA Security Suite subscription — the alerts arrive in your inbox; the playbook is yours to run.