Millions of Health Records for Sale by Hacker Who Allegedly Stole Them
The protected health information (PHI) of nearly 10 million individuals was allegedly posted for sale by the hacker who stole the data, according to Motherboard.
The hacker posted the first batch of approximately 655,000 records on June 25, and posted 9 million alleged patient insurance details on June 27. The records were offered for sale on a marketplace on the dark web—parts of the web that require specific software or authorization to access. The initial data was supposedly stolen from facilities located in Farmington, Missouri (48,000 records); Atlanta (397,000 entries); and one listed only as “Central/Midwest US” (210,000 records), Motherboard reported. On June 28, the hacker added the PHI of 34,000 individuals from New York.
The records allegedly contain:
- Social Security numbers
- Names
- Addresses
- Dates of birth
- Insurance information, including policy numbers
The hacker declined to name the specific organizations the data was stolen from, claiming he or she is still attempting to negotiate ransoms from the facilities. However, the hacker has already posted images of some of the records with names and contact information clearly visible and provided a sample of 30 records to Motherboard so reporters could verify that the information contained in the records is real. Motherboard reported that the majority of phone numbers were correct although some addresses were out of date. One individual reportedly confirmed additional information that was included in the records released to Motherboard. However, Motherboard did not report what additional information was included in the records released to them and if it included patients’ Social Security numbers, insurance information, or treatment and diagnostic information.
The hacker claims that at least $100,000 worth of records from the Georgia database were sold and that one buyer was specifically looking for all Blue Cross Blue Shield records.
In an interview conducted with Motherboard via encrypted chat, the alleged hacker said he or she is offering the data for sale as part of a plan to extort the organizations it was allegedly stolen from. The hacker offers to take the data down and close the sale if the organization pays an unspecified sum. The hacker added that he or she hopes to use media attention to put added pressure on the organizations he or she is attempting to extort.
However, organizations should be wary of attempting to negotiate with criminals, according to government guidance. HHS’ recently released ransomware guidance advises organizations not to pay ransoms and instead contact law enforcement, following similar guidance from the FBI and the Department of Homeland Security. Colluding with a criminal to cover up a breach is dangerous and unethical, says Mac McMillan, FHIMSS, CISSM, cofounder and CEO of CynergisTek, Inc., in Austin, Texas.
“[The hacker’s] offer to these institutions, prior to their refusal to pay the ransom, was that he would return the data and provide the details for how he conducted the hack and stole the information so they could remediate the issue, and, assuming they were unethical, let the fact that they had been breached quietly go away,” McMillan says. “Meaning he would not divulge that he had hacked them so they could, again assuming they were unethical, cover the incident up.”
Some organizations, such as Hollywood Presbyterian Medical Center in Los Angeles and Kansas Heart Hospital in Wichita, paid hackers after their systems were shut down by ransomware. However, hackers in the Kansas Heart Hospital incident refused to release the data and demanded a second ransom. Although some organizations may believe paying the ransom is the quickest way to resolve an incident and protect their patients’ safety and PHI—and their own reputation—criminals are under no obligation to play by the rules.
“The first thing that anyone needs to understand when dealing with an extortionist, is that nothing is for certain, and paying one ransom doesn’t mean you won’t receive another, or just because they say they are returning the information doesn’t mean they didn’t keep a copy, or that the weakness they disclose to you is the only one they found, or that they did not install a backdoor,” McMillan says. “You are dealing with a criminal.”
If an organization receives information that a breach occurred, or may have occurred, their obligation is to follow the guidance set out in HIPAA and the recommendations from regulatory and law enforcement agencies.
“This was a breach, the hacker has the data, and whether he posted on the dark web or not it was a breach,” McMillan says. “The impermissible disclosure has already occurred.”