According to reports from news portal Deep Dot Web, 689,621 patient records are being sold by a hacker operating in TheRealDeal, a deep web marketplace known for peddling stolen data, codes and zero-day software exploits. The hacker told the news site that he used an exploit in how the organizations utilize remote desktop protocol (RDP), adding that it is a specific security flaw with precise conditions needed for it to be triggered.
The hacker, who goes by the handle “thedarkoverlord,” is offering a purportedly one-off copy of the stolen data. The data has been broken into databases, with prices ranging from 151 to 643 bitcoins (BTC), amounting to around US$96,000 to $411,000.1
The first database contains medical records of 48,000 patients from Farmington, Missouri, taken from a Microsoft Access database within the organization’s internal network. The stolen data was recently disclosed by the hacker to be from the Midwest Orthopedic Center, a physician-led family medicine and orthopedic practice. The authenticity of 499 patient records uploaded by the hacker as sample data has been verified by third parties.
The second is from Atlanta, Georgia, containing 397,000 medical records stolen from an accessible internal network, while the third contains records from 210,000 patients from a facility in Central/Midwest U.S., stolen from a misconfigured network. All of the databases include usernames and passwords readily available in plaintext form.
Included in the data dump are full names, physical addresses (which also contain city, state and ZIP code), Social Security numbers, dates of birth, gender, email addresses, phone numbers and insurance policy ID numbers, among others.
To date, thedarkoverlord has not named the affected organizations—aside from the Missouri-based hospital— as he has first reached out to them and offered to disclose the vulnerability for a price, telling news site Motherboard that it is “a modest amount compared to the damage that will be caused to the organizations when I decide to publicly leak.” The tactic resembles a black hat bug poaching scheme, where hackers breach corporate network and online infrastructure, scan and analyze for vulnerabilities, then attempt to extort money before disclosing the security flaws to the company.
The hacker claims he has already made off with $100,000 worth of medical records from the Georgia database, with another cybercriminal eyeing to buy insurance records from Blue Cross Blue Shield. In a sample of records given to Motherboard, it was noted that a majority of the phone numbers “went through to the correct person or family home.”
On June 28th, it was reported that thedarkoverlord is also selling a stolen database of health insurance records from more than 9.3 million patients across the U.S. The advertisement, found in the same deep web marketplace, touts, “This product is an extremely large database in plaintext from a large insurance healthcare organization in the United States. It was retrieved using a 0-day within the RDP protocol that gave direct access to this sensitive information.”
The information contained in this data dump includes names, home addresses, city, state, ZIP, email addresses, home phone numbers, dates of birth, and Social Security numbers. The hacker is selling the stolen data for 750 BTC, or around $478,000. He has also contacted the health insurer involved and did a similar bug poaching tactic, but the organization declined to respond. In a separate report by security researcher named ‘Dissident Joe,’ some of the records in a sample provided to her were verified to be real, although some information such as phone numbers and emails appeared to be outdated.
The hacker followed this up the next day with an upload of a new trove of data to TheRealDeal—this time comprising medical records from 34,621 patients stolen from a hospital in New York. The database is currently being sold for 30 BTC (around $19,166). Like the previous data dumps, the hacker claims the database was retrieved using an unknown security flaw in RDP. He further explained, “Specifically, this RDP database gave access to a desktop that contained a ‘Passwords.txt’ style file that allowed further effortless penetration of their electronic medical systems.”
The medical and health insurance records stolen by thedarkoverlord is yet another in a string of data breaches and cyber-attacks targeting healthcare organizations—a health system in Arkansas, several facilities in California, ophthalmology and oncology practices in Florida, a dental clinic in Massachussetts, a podiatry facility in Nebraska, a substance abuse program in New Mexico’s San Juan County, a primary care hospital in Tennessee, and a health center in Texas, as well as insurance companies Anthem and Premera Blue Cross. From October 2009 to May 2016, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights has recorded 1,567 data breach incidents involving healthcare organizations.
Healthcare facilities store an extensive repository of information that, when stolen, cannot be easily replaced.
Healthcare remains a key target of ransomware, and information theft to spear phishing attacks, and it's not difficult to see why. Healthcare facilities store an extensive repository of information that, when stolen, cannot be easily replaced and can even go undetected by victims for a long time. As such, cybercriminals consider the industry a lucrative source of personally identifiable information (PII) and their accompanying financial records, which are easily monetized as tradable goods in underground marketplaces. In turn, individual malefactors and organized syndicates use these stolen data to commit fraud, identity and intellectual theft, espionage, blackmail, and extortion. The information can also be used to deliver malware to unsuspecting users through spam and phishing attacks.
In fact, identity theft has been reported to be the most rampant in healthcare in 2015. In this case, fraudsters use a patient’s stolen PII to access someone else’s services or other resources, apply for loans or credit cards, open bank accounts, make online transactions, file tax returns to collect rebates, and conduct other illegal activities without the victim’s consent and knowledge.
Cybercriminals leverage the financial value of data when monetizing the information they steal. For instance, according to a survey of customers in 2015, health information and medical records are estimated at $82.90 apiece for U.S. consumers, while a Social Security number is worth $55.70. Payment details, physical location information, home address, marital status, as well as name and gender information are pegged at $45.10, $38.40, $17.90, $6.10 and $2.90, respectively.
In online black markets, stolen data are sold in various prices depending on the type of information. In the Brazilian underground, a list of landline phone numbers may be priced between $317 and $1,931, while a set of email account credentials can be sold in Chinese darknet marketplaces for $163. Work and personal email addresses can be sold in the Russian online underworld for as much as $200.
Cybercriminals can use the data to cause personal distress, damage an unknowing user’s reputation, commit identity theft, expose private information to the public, and even compromise corporate accounts and use them as gateway to breach an enterprise’s network.
Cybercriminals consider the industry a lucrative source of personally identifiable information (PII) and their accompanying financial records, which are easily monetized as tradable goods in underground marketplaces.
For healthcare organizations, the repercussions of a data breach are daunting. In addition to the loss of reputation and patient trust, they risk incurring huge revenue losses from expenses such as those related to the investigation, forensics and mitigation of the damage done by such a security incident, billing issues, and costs involved to provide affected patients with reparational support such as identity theft protection and credit monitoring services.
Healthcare providers can also be served with civil and criminal penalties in line with the Omnibus rules of the Health Insurance Portability and Accountability Act (HIPAA), with fines that range from $100 to $50,000 per violation (or per record) and an annual maximum of $1.5 million.
The recent spate of attacks on healthcare organizations has also prompted policy makers to push for more stringent guidelines that will be mandated to the healthcare industry in line with HIPAA and the Health Information Technology for Economic and Clinical Health Act (HITECH) in terms of averting the unauthorized exposure of private information. Certain variants of ransomware with information-stealing capabilities, for instance, pose operational risks to healthcare facilities and can compromise patient safety by denying access to data and related IT functions essential to providing health care services. Depending on the attack, the same data can also be exfiltrated and sent to a cybercriminal’s command and control server (C&C).
More and more healthcare organizations rely on the collection and use of personal data via online platforms to provide care and perform mission-critical functions. On the other hand, cybercriminals will continue to exploit gaps in their security to steal and profit from the same information. This can adversely impact the organization’s business operations, and ultimately lead to degraded health services.
As such, healthcare providers and facilities should exercise responsiveness to minimize the damage as quickly as possible, as well as setting up integrated, preventive measures in order to preserve data and maintain business operations. Healthcare organizations can also benefit from multi-layered detection and recovery systems that can help identify and prevent vulnerabilities and malware from being exploited and delivered to corporate networks, medical devices, company mobiles and other data endpoints. For security incidents such as data breaches, healthcare organizations need to be able to gauge its impact, and duly notify law enforcement and related authorities while implementing an action plan for patients and other affected individuals.