The names, addresses, dates of birth and Social Security numbers of more than 10 million patients have been listed for sale on a darknet marketplace in the past few days. These records do not appear to have come from some of the large healthcare data breaches reported by HIPAA covered entities over the last few years. There is a high probability that the records are from new, previously unreported PHI breaches.
The healthcare records were listed for sale on darknet marketplace TheRealDeal over the weekend. The records appear to have been stolen by a hacker operating under the name TheDarkOverlord.
Five separate listings have now been added to the site, each corresponding to a separate batch of healthcare data. The databases of healthcare providers and health insurers.
Initially, four healthcare databases were listed for sale containing a total of over 655,000 healthcare records, with a promise that further data would be listed for sale if payment was not received to prevent the sale. A few days later, a health insurer’s database was also listed on the site. That database contains 9.3 million records.
The listings were accompanied by screenshots of the data to demonstrate authenticity. Since the listings were posted, some records have been independently verified as real although the data appear to be old
The hacker claims to have exploited a zero-day vulnerability in the remote desktop protocol to gain access to the health insurer’s database. The other attacks were possible because the organizations in question had stored usernames and passwords in plaintext.
The hacker first contacted the healthcare organizations in question and offered to fix the security flaw; however, when the offer was rejected the data were listed for sale. The payment requested was allegedly small in comparison to the damage that would be caused by selling the PHI.
The data contained in the databases is extremely valuable to cybercriminals. The information could be used to commit fraud and steal identities. The hacker claims to have already sold one batch of BlueCross BlueShield data for $100,000.
One batch of data is now being listed for 30 Bitcoin – $19,500, while a larger database has been listed for sale at 375 Bitcoin – approximately $243,000. The price has been reduced since the listings were first posted.
The hacker has not disclosed the names of the organizations involved, although the 9.3 million records are from a large U.S. health insurer, while the smaller batches of data come from healthcare organizations in New York, Atlanta, Oklahoma City, and Farmington, Missouri.
Fortunately, the data being sold do not include the protected health information of patients, although should a buyer agree to pay for the data, patients would face an elevated fraud risk.