Your Staff Clicked a Link. You Had MFA. You Still Got Breached. Here's Why.

A Christchurch healthcare practice had multi-factor authentication switched on across every account. A staff member opened an email on a busy Tuesday morning, clicked a link, and by that afternoon the breach had spread to multiple colleagues. What followed was a Privacy Commissioner notification, several days of disruption, and a very difficult conversation about their ACC provider contract. They had done what every IT provider and insurer had told them to do. It wasn't enough.

The phishing email that started it looked completely normal. No spelling mistakes, no obvious red flags - just a convincing message that appeared to come from a platform the practice already used. The staff member clicked through to what looked like a standard login page, entered their credentials, and completed the MFA prompt when it appeared. From their perspective, nothing unusual happened. From the attacker's perspective, everything had gone to plan.

What the staff member didn't know was that the fake login page wasn't just collecting their password. It was acting as a relay - passing their credentials through to the real service in real time and capturing the session token that came back. A session token is what keeps you logged in after you've verified your identity. Once an attacker has it, they don't need your password or your MFA code. They have a live, authenticated session and they can use it immediately - often before the legitimate user has closed their browser tab. This technique is called adversary-in-the-middle phishing, and it is now commonly used against organisations that thought MFA had them fully protected.

Healthcare practices are a deliberate target. They hold some of the most sensitive personal information in existence - medical histories, mental health records, ACC claim details. That data has real value for identity fraud, insurance scams, or ransom. Practices are also typically small enough to lack dedicated security resources, but large enough to hold substantial patient records and to depend on third-party contracts that create serious pressure when something goes wrong. A practice that cannot demonstrate reasonable security controls risks more than a Privacy Commissioner notification under the NZ Privacy Act 2020 - it risks its provider status. That is a different category of consequence to what most small businesses face, and understanding what a breach costs a small practice makes that risk concrete. The Office of the Privacy Commissioner and CERT NZ both publish guidance on breach response obligations worth knowing before an incident, not after.

When ITstuffed started working with this practice after the incident, the controls we put in place would have broken the attack at several points before it became a breach. Email filtering would have assessed that phishing message before it reached anyone's inbox - it would not have been delivered. DNS filtering acts as a second line: even if the email had arrived and been clicked, the connection to the fake login page would have been blocked before it could load. Login monitoring watches for anomalous session behaviour - a login from an unexpected location, a session active in two places at once - and would have flagged an alert within minutes. Device-level protection would have caught the unusual activity and contained it before it spread internally. And staff training that specifically covers how MFA gets bypassed - not just generic advice about not clicking links - changes how people respond when an unexpected login prompt appears. Attacks that bypass MFA entirely are one reason SaaS ransomware now poses a specific risk to practices using cloud-based clinical systems.

None of these controls is sufficient on its own. That's the point. Layered security means an attacker has to defeat multiple independent systems, not just find one gap. Healthcare IT support that understands clinical environments and the specific pressures practices operate under looks different to standard business IT - and the gap matters when a breach has consequences beyond a reset password.

If a staff member at your practice received a convincing email tomorrow and clicked a link, how many of those layers would catch it before it became a problem? ITstuffed offers a free 15-minute IT Fit Check to talk through exactly that question. Book one here.