A hacker claims to have 655,000 patient records allegedly obtained by hacking into three separate healthcare databases and is selling those patient records on the dark web marketplace, according to a report originally published by news site DeepDotWeb.
According to the DeepDotWeb article, posted Saturday, the hacker communicated with the site’s writers via an encrypted conversation. While it has not been verified whether any healthcare organizations have actually been hacked, the hacker provided the media site with images of the database hack from their internal network. The screenshot photos show healthcare databases that expose sensitive patient information, including full names, addresses, date of birth, social security numbers and other information, although the information in the screenshot photos has been blurred.
The hacker claims to have three separate healthcare databases from healthcare organizations in Farmington, Missouri, an undisclosed location in Central/Midwest U.S. and one in Georgia, and is allegedly selling the databases on a dark web marketplace.
The DeepDotWeb article quotes the hacker as providing this information about the databases:
“A considerably large database (48,000 patient records) in plaintext from a healthcare organization in Farmington, Missouri. It was retrieved from a Microsoft Access database within their internal network using readily available plaintext usernames and passwords.”
“A very large database (210,000 patients) in plaintext from a healthcare organization in the Central/Midwest U.S. It was retrieved from a severely misconfigured network using readily available plaintext usernames and passwords.”
“A very large database (397,000 patients), in plaintext from a healthcare organization in the state of Georgia. It was retrieved from an accessible internal network using readily available plaintext usernames and passwords.”
Motherboard published an article on Sunday stating that the hacker goes by the handle “thedarkoverlord,” and it appears the hacker wants a ransom demand from the healthcare organizations.
Motherboard writer Joseph Cox wrote, “Thedarkoverlord has decided to not name the organizations, as he has threatened each with a ransom demand.”
In the article, Cox quotes the hacker as stating, “A modest amount compared to the damage that will be caused to the organizations when I decide to publicly leak the victims,” and then notes that the hacker “claims to have already sold $100,000 worth of records from the Georgia dump.”
“Someone wanted to buy all the Blue Cross Blue Shield Insurance records specifically,” he said,” the Motherboard article stated.
And, Cox wrote that Motherboard was provided with a sample of just under 30 patient records from the alleged Georgia database hack.
According to the DeepDotWeb article, the hacker allegedly used “an exploit in how companies use RDP” (remote desktop protocol). The article quotes the hacker as stating, "It is a very particular bug. The conditions have to be very precise for it."
In the Motherboard article, Cox wrote, “The hacker claims he obtained each database in roughly the same way each time via an unknown vulnerability in remote desktop protocol, which allows (usually) authorised parties to control computers for things such as tech support. From here, thedarkoverlord claims he moved throughout the network “until I got to the juicy machines running their electronic health systems.”
Bob Ertl, a senior director at Accellion, a cloud solutions vendor, says this latest breach incident highlights “just how critical the cybersecurity problem has become for the healthcare industry.”
“Unfortunately, the reality is that as long as medical information can sell on the black market for ten times or more than the value of a credit card number, the healthcare industry is going to have a target on its back,” Ertl says.
“Healthcare organizations just have to do a better job at securing protected health information (PHI),” he says.
Vishal Gupta, CEO of Seclore, says news of the hack “is a poignant reminder of just how valuable healthcare information is on the black market.”
“According to the hacker, some of the healthcare records have already sold for $100,000. To put that in perspective, the individual behind the LinkedIn breach tried to sell 117 million compromised passwords for only $2,200. When all is said and done, this breach could net upwards of a half a million dollars, which is why healthcare organizations are so heavily targeted by cybercriminals.”
He added, “Until companies are able to reduce the value of their sensitive information by applying persistent data-centric security solutions, the healthcare industry will continue to be every hacker’s favorite cash cow.”
The hacker claims to be trying to sell “a unique one-off copy of each of the three databases which are ranging in price from 151 bitcoin (about $100,000) to 607 bitcoin (about $395,000), the DeepDotWeb article stated.