Account Takeover Through Password Reuse: The Attack Chain

A paramedic at a medium-sized EMS agency uses the same password for their ePCR login that they have used since 2015 for LinkedIn. In 2021, LinkedIn suffered a breach that exposed 700 million user records. That password, along with the medic's work email, ended up in a credential dump sold on criminal forums. A threat actor bought the dump, ran it through a credential-stuffing script against a major ePCR cloud portal, and got in. The attacker now has access to years of patient care reports containing names, dates of birth, Social Security numbers, clinical assessments and medication records.

This happens regularly. It is the most common attack path into EMS clinical systems today. And it is almost entirely preventable.

The Realistic Attack Chain: How a LinkedIn Breach Becomes an ePCR Breach

The attack does not start with someone targeting your agency. It starts with a breach at a consumer service your staff use. LinkedIn, Adobe, Dropbox, a gaming platform, a forum. Any site that stores email addresses and passwords. When that site gets breached, the credentials enter the criminal supply chain. This is different from the supply chain risk I wrote about in the vendor subprocessor article, where the problem is your vendor's vendor having access to your data. Here the problem is your own staff's personal account hygiene.

Here is how the chain works.

The third-party breach comes first. A service your staff use for personal reasons suffers a data breach. The attackers extract email addresses and password hashes. They crack the hashes offline or buy pre-cracked lists. The result is a plain-text file of email and password pairs.

Then comes credential stuffing. The attacker writes a script that takes those email and password pairs and tries them against common targets like ePCR cloud portals, CAD web interfaces, agency email systems and VPN gateways. The script does not need to be sophisticated. Open-source tools like OpenBullet and SentryMBA handle this with a configuration file.

The successful login follows. The script finds a match. A medic used the same email and password for their ePCR account that they used for the breached service. The attacker now has an authenticated session inside your clinical data environment.

Then the payload. From inside the ePCR system, the attacker can export patient records, inject malware into the session or use the trusted account to phish other employees. The data has real street value. Full patient records with SSNs sell for more than credit card numbers.

The chain works because password reuse is common in every agency I have assessed. Studies consistently show that 50 to 70 percent of users reuse passwords across personal and professional accounts. In EMS, where staff often work multiple jobs and manage dozens of logins, the reuse rate is probably higher.

How MFA and Credential Monitoring Break the Attack Chain

Two controls break this chain at different points. You need both.

Multi-Factor Authentication

MFA stops the attack at Step 3 by requiring a second factor. Even if the attacker has the correct password, they cannot complete the login without it. A TOTP code from an authenticator app, a hardware key or a push notification to a trusted device all work.

SMS-based MFA is better than nothing, but it has known weaknesses. SIM-swapping attacks let an attacker redirect SMS messages to their own device. For ePCR systems containing PHI, app-based or hardware-based MFA is the standard.

The common objection in EMS is that MFA adds friction during patient care. A medic in the back of a truck during a cardiac arrest cannot stop to enter a six-digit code. The solution is session persistence. The medic authenticates with MFA at the start of their shift on a trusted agency device. That session remains valid for the shift duration. They do not need to re-authenticate for every chart entry. The security is in place without impeding clinical workflow.

Credential Monitoring

Credential monitoring catches the problem before the attacker even tries the stuffing attack. Services like HaveIBeenPwned for Enterprises or commercial dark-web monitoring tools watch for your agency's email domain in new breach dumps.

When a medic's email appears in a fresh dump, the system alerts your IT team. They can force a password reset on the ePCR account before the attacker runs the stuffing script. The window between a breach becoming public and attackers using the credentials is often measured in hours. Automated monitoring closes that window.

The Case for an Agency-Issued Password Manager

MFA and monitoring are necessary, but they treat the symptom. The root cause is that humans cannot remember dozens of unique complex passwords. They will reuse passwords because the alternative is writing them on sticky notes or resetting them every shift.

An agency-issued password manager solves this. The agency deploys a password manager like Bitwarden or 1Password to all issued devices. Each medic gets a vault that generates and stores unique random passwords for every service they use. The medic only needs to remember one master password.

The real value is in what an agency-managed deployment gives you. Centralized policy enforcement lets you control password complexity, rotation requirements for shared accounts and audit trails for who has access to what. Secure shared credential storage keeps dispatch terminal logins, station computer credentials and vendor portal access available to authorized staff without being written on a whiteboard in the apparatus bay. Breach notification integration means some enterprise password managers can alert you when a stored credential appears in a known breach, giving you an automated version of credential monitoring.

The cost is low. Bitwarden runs about three dollars per user per month for the enterprise tier, similar to the cost of evaluating your ePCR vendor's security posture in the first place. 1Password is similar. Compared to the cost of a single HIPAA breach investigation, it is negligible.

> The Security Rule requires covered entities to implement technical and nontechnical safeguards to protect ePHI. Unique user identification and automatic logoff are among the addressable implementation specifications. Password reuse is a direct failure of both.

HIPAA Compliance and the Liability of Password Reuse

HIPAA requires covered entities to implement technical safeguards for access control. The Security Rule specifically requires unique user identification and procedures for emergency access. Password reuse undermines both.

If a breach occurs because a medic reused a password from a personal account, the agency is liable. The argument that you did not know your staff were reusing passwords does not hold up. The agency is responsible for implementing controls that prevent foreseeable risks. Password reuse is a foreseeable risk. It has been documented for years. The Security Rule's addressable implementation specifications give you room to choose your approach, but they do not let you ignore the problem.

The Office for Civil Rights has made it clear that weak access controls are a common finding in breach investigations. An agency that has not deployed MFA on its ePCR system and does not have a password policy that accounts for reuse is carrying significant regulatory risk. If you want to see what a reasonable access review program looks like, I covered that in the article on auditing ePCR access logs.

Frequently Asked Questions

Why does a breach at a company like LinkedIn affect my agency's security?

Attackers use credential stuffing, where they take leaked email and password pairs from one site and automatically try them on others. If your staff reuse passwords, a leak at a social media site becomes a direct key to your clinical records.

Is MFA too slow for medics in the field?

MFA can be managed with session persistence. The medic authenticates at the start of their shift on a trusted agency device and stays logged in for the duration. This keeps security in place without slowing down patient care during a call.

Why should the agency provide a password manager instead of letting staff use their own?

An agency-issued password manager lets you enforce security policies, manage shared credentials and audit access. Personal password managers or no password manager at all means you have no visibility into whether your staff are reusing passwords or writing them down.

What is credential stuffing?

Credential stuffing is an automated attack where stolen username and password pairs are tried against multiple websites and services. The attacker relies on the fact that many people reuse the same credentials across different accounts.

What happens if we get breached because of password reuse?

The agency faces HIPAA investigation, potential fines, notification requirements and reputational damage. The cost of a single breach far exceeds the cost of implementing MFA and a password manager.

The attack chain I described at the start of this article is not complicated. It does not require a nation-state actor or a zero-day exploit. It requires a single reused password and a script that costs nothing to run. The defenses are not complicated either. MFA, credential monitoring and an agency-issued password manager break the chain at every link. The question is whether your agency will implement them before or after the breach.

-- Steven