Hacker selling 655,000 patient records from 3 hacked healthcare organizations

A hacker is reportedly trying to sell more than half a million patient records, obtained from exploiting RDP, on a dark web marketplace.

healthcare data breach ts
Credit: Thinkstock

A hacker going by “thedarkoverlord” is reportedly selling 655,000 patient records on a dark web marketplace; he claims to have three separate healthcare databases which include patients’ full names, Social Security numbers, dates of birth, addresses and more – data that could be used for identity theft and fraud.

The hacker claims to have exploited Remote Desktop Protocol (RDP) at three healthcare organizations in order to steal the databases. Thedarkoverlord told DeepDotWeb that “it is a very particular bug. The conditions have to be very precise for it.”

He also provided screenshots taken on June 13 as proof of the intrusions, showing the extent of sensitive patient information in the records. The databases contain Social Security numbers, patients’ full names, race and genders, addresses, dates of birth, phone numbers, insurance information and email addresses. That’s more than enough information for a thug to impersonate a victim to set up a line of credit or to take out a loan.

The databases being advertised on TheRealDeal marketplace allegedly include 48,000 patient records from a healthcare organization in Farmington, Missouri, another 210,000 records from Central/Midwest US, and 397,000 healthcare records from Georgia.

Although “thedarkoverlord” is offering “to sell a unique one-off copy of each of the three databases,” the hacker told Motherboard that he has already sold $100,000 worth of records from the Georgia organization. “Someone wanted to buy all the Blue Cross Blue Shield Insurance records specifically.”

397000 patient records from healthcare organizations in Georgia DeepDotWeb / TheRealDeal

The asking price for the full healthcare database with nearly 400,000 records from Georgia is 607.84 bitcoins, which at the time of writing is currently about $389,390. The hacker described it as “a very large database in plaintext from a healthcare organization in the state of Georgia. It was retrieved from an accessible internal network using readily available plaintext usernames and passwords.”

He wants 303.92 bitcoins, about $195,147, for 210,000 patient records from “a very large database in plaintext from a healthcare organization in the Central/Midwest United States. It was retrieved from a severely misconfigured network using readily available plaintext usernames and passwords.”

As for the 48,000 records being sold for 151.96 bitcoins, about $97,574, he claims the plaintext database came from a healthcare organization in Farmington, Missouri. “It was retrieved from a Microsoft Access database within their internal network using readily available plaintext usernames and passwords.”

If thedarkoverlord sells all three healthcare databases just once, then he would make about $682,110. If he also made $100,000 for the Blue Cross Blue Shield data, and only does that once, then he stands to make more than three-quarters of a million dollars for his criminal activities.

Hacker wants hush money, delivered ransom demand to each organization

The hacker is not revealing the names of the breached organizations yet, since he is trying to extort a ransom from them. He told Motherboard the ransom demand is “a modest amount compared to the damage that will be caused to the organizations when I decide to publicly leak the victims.”

Thedarkoverlord asked DeepDotWeb to include the following note for the breached companies:

Next time an adversary comes to you and offers you an opportunity to cover this up and make it go away for a small fee to prevent the leak, take the offer. There is a lot more to come.

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
Windows 10 annoyances and solutions
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.