<div dir="ltr"><a href="http://www.databreachtoday.com/3-stolen-health-databases-reportedly-for-sale-on-dark-web-a-9227">http://www.databreachtoday.com/3-stolen-health-databases-reportedly-for-sale-on-dark-web-a-9227</a><br><p>A hacker is reportedly selling on the dark web copies of databases
stolen from three unidentified U.S. healthcare organizations containing
data on 655,000 individuals for prices ranging from about $96,000 to
$386,000 in bitcoin for each database. </p>
<p>The hacker taking credit, who calls himself "thedarkoverlord," is
operating on the TheRealDeal dark web marketplace and is offering to
sell "a unique one-off copy of each of the three databases," according
to dark net news reporting website <a href="https://www.deepdotweb.com/2016/06/26/655000-healthcare-records-patients-being-sold/" target="_blank"><i>DeepDot Web</i></a>.</p>
<p>The hacked data being sold, according to <i>DeepDotWeb</i>, includes:</p>
<ul><li>A database containing plaintext data of 397,000 patients of a
healthcare organization based in Georgia, which was "retrieved from an
accessible internal network using readily available plaintext usernames
and passwords," the apparent hacker told <i>DeepDotWeb</i>;</li><li>A database containing plaintext data of 210,000 patients from a
healthcare provider operating in the central and Midwestern region of
the U.S., which the hacker claims "was retrieved from a severely
misconfigured network using readily available plaintext usernames and
passwords."</li><li>A database containing data of 48,000 patients of a Farmington,
Mo.-based healthcare organization, which the hacker claims "was
retrieved from a Microsoft Access database within their internal network
using readily available plaintext usernames and passwords."</li></ul>
<p>Media website <a href="http://www.dailydot.com/politics/655000-patient-records-dark-net/" target="_blank"><i>The Daily Dot</i></a>,
which says it examined TheRealDeal listings for the three databases,
reports that among the data being sold are patients' names, dates of
birth, addresses, phone numbers and Social Security numbers.</p>
<h3>Extortion Attempt</h3>
<p><i>DeepDotWeb</i> reports that the self-proclaimed hacker, over an <a href="http://www.healthcareinfosecurity.com/encryption-c-209">encrypted</a> Jabber conversation, told the news site he used "an exploit in how companies use <a href="http://www.healthcareinfosecurity.com/compromised-rdp-server-tally-from-xdedic-may-be-higher-a-9218">RDP</a> [remote desk protocol]. So it is a very particular bug. The conditions have to be very precise for it."</p>
<p>The hacker is selling each of the databases for prices ranging from 151 to 607 bitcoins, according to <i>DeepDotWeb</i>.
The news site says the hacker provided it with images of the hacked
databases, with all the identifiable information redacted "so the target
company can remain anonymous for now."</p>
<p>The hacker also left a note on the dark web that appears to indicate
that the attacker attempted to extort payments from the healthcare
entities before putting the data up for sale on the darkweb, according
to <i>DeepDotWeb</i>.</p>
<p>"Next time an adversary comes to you and offers you an opportunity to
cover this up and make it go away for a small fee to prevent the leak,
take the offer. There is a lot more to come," the hacker warns,
according to the <i>DeepDotWeb</i> report.</p>
<p>Monetizing a security breach by asking for "hush money" is a classic
ploy, says researcher Stephen Cobb of security services firm ESET. "If
the attacker gains access to a sensitive database, his top three options
to make money are to ransom it, sell it on the black market or simply
ask for money to keep quiet," he says. "In this case it looks like the
hush money request did not work out, hence the offer for sale."</p>
<h3>Records for Sale</h3>
<p>The sale of health information on the dark web is commonplace,
research organizations and law enforcement agencies have confirmed in
numerous reports, notes Mac McMillan, CEO of the security consultancy
CynergisTek .</p>
<p>"Once information has been stolen, it can be resold over and over
again, which is why healthcare information is so valuable and at the
same time so dangerous - it's not perishable."</p>
<p>So, if an entity is breached and data stolen, "there is a good chance it will be sold," McMillan says.</p>
<p>Organizations that get a warning from hackers or other third-parties
about their stolen data purportedly being for sale on the dark web
should immediately conduct a forensics examination to determine whether
the report is accurate and the data is authentic and contact law
enforcement authorities, McMillan says. </p>
<p>To prevent this kind of data theft, McMillan advises healthcare entities to "eliminate passwords as a single factor for <a href="http://www.healthcareinfosecurity.com/authentication-c-206">authentication</a>,
encrypt your data and employ data loss protection [technology] to
identify other instances of the information, like the Access database,
and stop the exfiltration of the information."</p>
<h3>Not Just Hacker Breaches</h3>
<p>But it's not only <a href="http://www.healthcareinfosecurity.com/breach-response-c-324">breaches</a>
involving hacker attacks that can result in health data being sold on
the dark web, warns Ann Paterson, senior vice president and program
director of the non-profit coalition Medical Identity Fraud Alliance.</p>
<p>"While MIFA doesn't delve into the dark web, we don't take for
granted that lost data, whether through malicious hacking or inadvertent
loss such as a lost <a href="http://www.healthcareinfosecurity.com/mobility-c-212">laptop</a>,
is immune to being sold on the dark web. Such cases are not surprising,
since those who work in this area understand that selling protected
health information is lucrative - it's one of the drivers why this type
of crime is growing."</p>
<p>Paterson advises healthcare entities that experience PHI data loss to
work with law enforcement and cyber investigators to try to determine
if the data has made its way to the dark web. "However, this is often
difficult to determine, since data may not be advertised immediately
after the loss happens. Fraudsters often 'sit' on the data for a while
before attempting to sell it."</p>
<p>Consumers also need to become more educated about the details of
medical identity theft and fraud to understand how they might be
affected when their PHI is compromised, she says. </p>
<p>"As a society, many of us are experiencing 'data breach fatigue' and
may not be paying as close attention to the potential fraud threats when
we've been part of a breach. This is dangerous, since there are plenty
of indications that PHI is being bought and sold for <a href="http://www.healthcareinfosecurity.com/fraud-c-148">fraudulent</a> purposes."</p>
<p>And although the owners of the three healthcare databases reportedly
being sold on the dark web haven't yet been publicly identified,
affected healthcare organizations can often recognize if any of their
stolen data is showing up on the dark web, McMillan says. "These records
should be an exact match for ones in someone's system," he says. "They
should be able to search their system and match them."</p>
<p>But Cobb says confirming the source of stolen data appearing for sale on the dark web can be complicated.</p>
<p>"This can be quite difficult, given that records for one patient may
be in dozens of databases belonging to different participants in the
highly complex U.S. healthcare delivery and reimbursement system," he
says. "Sometimes the seller will reveal the data structure or the
database software in which the records were stored, but again, this is
not necessarily conclusive, since many institutions use the same
software. If a seller has logs of the breach activity, this would be
more conclusive, but the seller might not have these and may not be the
original breach [source]."</p>
<p>And the same data may be breached numerous times, by multiple
attackers, using either the same or different attack vectors, Cobb
notes, "particularly if the target organization is not closely
monitoring for attacks."</p><br></div>