eugenesergeev - Fotolia
Five separate postings were made on a dark web market to sell close to 10 million patient records stolen from various hospitals that contain information such as names, addresses, contact information, birth dates and Social Security numbers.
The posts on the dark web market, called TheRealDeal, were made by a user named thedarkoverlord, who claimed to be the hacker who stole the records.
The largest batch holds 9.3 million patient records labeled as being stolen from "an extremely large database in plaintext from a large insurance healthcare organization in the United States," but it was not disclosed if the data came from a high-profile health insurance data breach, such as Excellus or Anthem. The four smaller batches of records are listed as being from healthcare organizations in Oklahoma City, Farmington, Mo., and Atlanta, and a clinic in New York.
The dark web market postings noted different attack vectors that were used to steal the data. The seller said the largest batch of patient records was stolen "using a zero day within the [Remote Desktop Protocol] that gave direct access to this sensitive information," while other attacks took advantage of databases that all listed usernames and/or passwords in plaintext.
The seller provided screenshots and sample records to specific media outlets, which were able to confirm the validity of the information stolen. Security researcher Dissent Doe received 100 records and was able to verify some of them as authentic.
"There may be a good amount of old personal information in the database. Most phone numbers DataBreaches.net called no longer worked or belonged to other parties. The majority of emails sent to email addresses in the larger sample did not bounce back, but produced no replies to the inquires," Doe wrote on her blog. "One person, reached by phone, confirmed the accuracy of her date of birth and Social Security number, but reported that the address was one where she had lived years ago."
The alleged hacker also provided screenshots of the stolen databases to DeepDotWeb. In the comment section of that news post, a user asked thedarkoverlord, "Did you actually warn these people about their vulnerable systems, offer to fix it, and when they declined, you went to Plan B (sell the data)?" And, thedarkoverlord responded simply, "Yes."
At the time of this publication, the smallest batches of patient records were being sold for 30 bitcoins ($19,000), while the largest was listed at 375 bitcoins ($240,000). This already marks a significant price reduction from when the listings were first made on the dark web market just one day ago. At that time, the smallest batch was listed for 151 bitcoins ($96,000), and the largest was 750 bitcoins ($477,000).
According to Andrei Barysevich, director of eastern European research and analysis at New York-based cybersecurity firm Flashpoint, "novice hackers love to overestimate the value of their data -- market rules always prevail."
"The established market rates dictate prices of approximately $1 to $3 per record in plaintext or $10 to $50 in the case of available PDF copies of driver's licenses and insurance cards," Barysevich said. "However, bulk sales will always command disproportionately low prices, with a million records offered at $500 to $1,000. In the recently announced compromise of 21st Century Oncology uncovered by Flashpoint, the private records of over 2 million of patients were sold by the Russian cybercriminal at a minuscule $2,000."
Rick Holland, vice president of strategy at Digital Shadows, based in San Francisco, said potential buyers are limited.
"Sophisticated criminal actors are likely. Nation states could be in the mix, but could likely conduct their own operations against insurance companies for less than the sale price," Holland said. "Given that the purported data set is traditional [personally identifiable information] PII and not [personal health information (PHI)], the risks are largely fraud around phishing campaigns. If there was PHI in the data set, then extortion would be [a] very likely risk. As far as breach data sets go, this one is pretty vanilla."
Holland suggested that in order to protect themselves from attacks like these, "enterprises should focus on fundamentals like segmented networks, the fundamental of least privilege and increasing visibility to quickly detect and respond to intrusions," rather than focusing on the latest cyberfad.
Other experts said the best mitigation techniques for enterprises to prevent thefts like this are to not store any sensitive data in plaintext and use encryption, instead.
"The first thing all companies should do is encrypt their databases so that if an attacker were to get in and peek at the database, the data would be useless to them," said Ryan O'Leary, vice president for the Threat Research Center and technical support at WhiteHat Security, based in Santa Clara, Calif. "In addition to this, companies should implement an application and network security program. A team should be tasked with the security of the systems and applications, and companies should utilize a good third-party vendor to help find vulnerabilities that could lead to these kinds of breaches."
Learn more about protecting PHI security, health data privacy and preparing for audits.
Find out why disaster recovery is critical for healthcare providers.