A hacker operating under the name TheDarkOverlord has placed three separate listings on the underground marketplace TheRealDeal. Three separate healthcare databases are being offered for sale. Those databases contain a total of 655,000 healthcare records.
Samples of the data have been provided which have been independently verified as being real. Some of the data appear to be old, although the breaches are understood to have occurred relatively recently. The data do not appear to have come from large-scale breaches from the past few years, as was the case with the recent listings on TheRealDeal placed by the hacker “Peace.”
The hacker claims to have obtained the data in recent attacks by exploiting gaping holes in the healthcare organizations’ systems. One of the stolen databases was obtained as a result of a “severely misconfigured network”, while in other cases, the hacker stole data from accessible internal networks. In each case, access was gained using “readily available plaintext usernames and passwords.”
The hacker has not named the organizations that were attacked, although the locations of the organizations were disclosed in each listing. Screenshots were also uploaded to confirm the authenticity of the attacks and the data that were stolen.
One of the databases, which contained 210,000 healthcare records, was stolen from a healthcare organization in the Central/Midwest region of the United States. This database was obtained as a result of severe misconfiguration of the organization’s network.
A smaller database was stolen from a healthcare organization in Farmington, Missouri. The database contains the records of 48,000 patients. The hacker claims to have used readily available plaintext usernames and passwords to gain access to a MS Access database. It has since emerged that the database was stolen from Midwest Orthopedic Clinic.
The third and largest database was taken from a healthcare organization in Georgia. The database contains 397,000 patient records, including a considerable number of records of BlueCross BlueShield members. The organization’s internal network was easily accessible and was accessed using readily available usernames and passwords.
The attacker did not immediately list the data for sale. Each organization was contacted and was given the opportunity to pay a “modest” fee to recover the data and be informed of the security gap that was exploited. The hacker claims to have emailed each company in advance, saying that the amount being requested was small in comparison to the damage that would be caused if the data were sold. None of the healthcare organizations paid the ransom demand and the data were listed online.
The hacker claims that these are not the only data that will be listed for sale. The hacker reportedly said “Next time an adversary comes to you and offers you an opportunity to cover this up and make it go away for a small fee to prevent the leak, take the offer. There is a lot more to come.”