Personal information for close to 10 million people is being sold online by a hacker.
DeepDotWeb, reported that a hacker put health records for 9.3 million patients, stolen from a health insurance database, up for sale on TheRealDeal market for 750 bitcoin ($485,000). The same hacker who goes by the handle “thedarkoverlord”, two days earlier, put records for roughly 655,000 patients across three hospitals for sale online.
According to DeepDotWeb’s report the breaches came from three healthcare organizations:
- 48,000 records were stolen from a hospital in Farmington, Missouri
- 397,000 records were stolen from a hospital in Atlanta, Georgia
- 210,000 records were stolen from a Central/Midwest-based hospital
The hacker claims already $100,000 worth of records have been sold, saying that “someone wanted to buy all the Blue Cross Blue Shield insurance records, specifically.” The data could be used for anything from getting lines of credit to opening bank accounts to carrying out loan fraud and much more, the hacker selling the data told Motherboard, which was provided access to 30 records for proof.
The hacker gained access to the records by entering databases through an unidentified vulnerability in remote desktop protocol, which allows (usually) authorized parties to control computers for things such as tech support. From here, thedarkoverlord claims he moved throughout the network “until I got to the juicy machines running their electronic health systems.”
With incidents of hacking and ransomware on the rise in the industry, Department of Human and Health Services early last month issued recommendations on steps hospitals and insurers can take to protect against cyberattacks.
“Paying a ransom does not guarantee an organization will regain access to their data,” the guidance states. “After paying the originally demanded ransom, some victims were asked to pay more to get the promised decryption keys. Paying could inadvertently encourage this criminal business model.”
Earlier this year, Los Angeles-based Hollywood Presbyterian Medical Center paid hackers roughly $17,000 (40 bitcoins) after a ransomware attack left its network disabled.