Skip to content Skip to navigation

Hacker Claims to be Selling 655,000 Patient Records from Three Hacked Hospitals, Media Reports Say

June 28, 2016
by Heather Landi
| Reprints
Click To View Gallery

A hacker claims to have 655,000 patient records allegedly obtained by hacking into three separate healthcare databases and is selling those patient records on the dark web marketplace, according to a report originally published by news site DeepDotWeb.

According to the DeepDotWeb article, posted Saturday, the hacker communicated with the site’s writers via an encrypted conversation. While it has not been verified whether any healthcare organizations have actually been hacked, the hacker provided the media site with images of the database hack from their internal network. The screenshot photos show healthcare databases that expose sensitive patient information, including full names, addresses, date of birth, social security numbers and other information, although the information in the screenshot photos has been blurred.

The hacker claims to have three separate healthcare databases from healthcare organizations in Farmington, Missouri, an undisclosed location in Central/Midwest U.S. and one in Georgia, and is allegedly selling the databases on a dark web marketplace.

The DeepDotWeb article quotes the hacker as providing this information about the databases:

“A considerably large database (48,000 patient records) in plaintext from a healthcare organization in Farmington, Missouri. It was retrieved from a Microsoft Access database within their internal network using readily available plaintext usernames and passwords.”

“A very large database (210,000 patients) in plaintext from a healthcare organization in the Central/Midwest U.S. It was retrieved from a severely misconfigured network using readily available plaintext usernames and passwords.”

“A very large database (397,000 patients), in plaintext from a healthcare organization in the state of Georgia. It was retrieved from an accessible internal network using readily available plaintext usernames and passwords.”

Motherboard published an article on Sunday stating that the hacker goes by the handle “thedarkoverlord,” and it appears the hacker wants a ransom demand from the healthcare organizations.

Motherboard writer Joseph Cox wrote, “Thedarkoverlord has decided to not name the organizations, as he has threatened each with a ransom demand.”

In the article, Cox quotes the hacker as stating, “A modest amount compared to the damage that will be caused to the organizations when I decide to publicly leak the victims,” and then notes that the hacker “claims to have already sold $100,000 worth of records from the Georgia dump.”

“Someone wanted to buy all the Blue Cross Blue Shield Insurance records specifically,” he said,” the Motherboard article stated.

And, Cox wrote that Motherboard was provided with a sample of just under 30 patient records from the alleged Georgia database hack.

According to the DeepDotWeb article, the hacker allegedly used “an exploit in how companies use RDP” (remote desktop protocol). The article quotes the hacker as stating, "It is a very particular bug. The conditions have to be very precise for it."

In the Motherboard article, Cox wrote, “The hacker claims he obtained each database in roughly the same way each time via an unknown vulnerability in remote desktop protocol, which allows (usually) authorised parties to control computers for things such as tech support. From here, thedarkoverlord claims he moved throughout the network “until I got to the juicy machines running their electronic health systems.”

Bob Ertl, a senior director at Accellion, a cloud solutions vendor, says this latest breach incident highlights “just how critical the cybersecurity problem has become for the healthcare industry.”

“Unfortunately, the reality is that as long as medical information can sell on the black market for ten times or more than the value of a credit card number, the healthcare industry is going to have a target on its back,” Ertl says.

“Healthcare organizations just have to do a better job at securing protected health information (PHI),” he says.

Vishal Gupta, CEO of Seclore, says news of the hack “is a poignant reminder of just how valuable healthcare information is on the black market.”

“According to the hacker, some of the healthcare records have already sold for $100,000. To put that in perspective, the individual behind the LinkedIn breach tried to sell 117 million compromised passwords for only $2,200. When all is said and done, this breach could net upwards of a half a million dollars, which is why healthcare organizations are so heavily targeted by cybercriminals.”

He added, “Until companies are able to reduce the value of their sensitive information by applying persistent data-centric security solutions, the healthcare industry will continue to be every hacker’s favorite cash cow.”

The hacker claims to be trying to sell “a unique one-off copy of each of the three databases which are ranging in price from 151 bitcoin (about $100,000) to 607 bitcoin (about $395,000), the DeepDotWeb article stated.






ONC National Coordinator Gets Live Look at Carequality Data Exchange

Officials from Carequality have stated that there are now more than 150,000 clinicians across 11,000 clinics and 500 hospitals live on its network. These participants are also able to share health data records with one another, regardless of technology vendor.

American Red Cross, Teladoc to Provide Telehealth Services to Disaster Victims

The American Red Cross announced a partnership with Teladoc to deliver remote medical care to communities in the United States that are significantly affected by disasters.

Report: The Business of Cybercrime in Healthcare is Growing

While stolen financial data still has a higher market value than stolen medical records, as financial data can be monetized faster, there are indications that there is ongoing development of a market for stolen medical data, according to an Intel Security McAfee Labs report.

Phishing Attack at Baystate Health Potentially Exposes Data of 13K Patients

A phishing scam at Baystate Health in Springfield, Mass. has potentially exposed the personal data of 13,000 patients, according to a privacy statement from the patient care organization and a report from MassLive.

New Use Cases Driving Growth in Health Data Exchange through Direct

In an update, DirectTrust reported significant growth in Direct exchange of health information and the number of trusted Direct addressed enabled to share personal health information (PHI) in the third quarter of 2016.

Insurers to CBO: Consider Private Insurers’ Data in Evaluations of Telemedicine

Eleven private insurers, including Aetna, Humana and Anthem, are urging the Congressional Budget Office (CBO) to consider the experience of commercial insurers when evaluating the impact of telemedicine coverage in Medicare.