[BreachExchange] 3 Stolen Health Databases Reportedly for Sale on Dark Web

[Inga Goddijn]

http://www.databreachtoday.com/3-stolen-health-databases-reportedly-for-sale-on-dark-web-a-9227

A hacker is reportedly selling on the dark web copies of databases stolen
from three unidentified U.S. healthcare organizations containing data on
655,000 individuals for prices ranging from about $96,000 to $386,000 in
bitcoin for each database.

The hacker taking credit, who calls himself "thedarkoverlord," is operating
on the TheRealDeal dark web marketplace and is offering to sell "a unique
one-off copy of each of the three databases," according to dark net news
reporting website *DeepDot Web*
<https://www.deepdotweb.com/2016/06/26/655000-healthcare-records-patients-being-sold/>
.

The hacked data being sold, according to *DeepDotWeb*, includes:

   - A database containing plaintext data of 397,000 patients of a
   healthcare organization based in Georgia, which was "retrieved from an
   accessible internal network using readily available plaintext usernames and
   passwords," the apparent hacker told *DeepDotWeb*;
   - A database containing plaintext data of 210,000 patients from a
   healthcare provider operating in the central and Midwestern region of the
   U.S., which the hacker claims "was retrieved from a severely misconfigured
   network using readily available plaintext usernames and passwords."
   - A database containing data of 48,000 patients of a Farmington,
   Mo.-based healthcare organization, which the hacker claims "was retrieved
   from a Microsoft Access database within their internal network using
   readily available plaintext usernames and passwords."

Media website *The Daily Dot*
<http://www.dailydot.com/politics/655000-patient-records-dark-net/>, which
says it examined TheRealDeal listings for the three databases, reports that
among the data being sold are patients' names, dates of birth, addresses,
phone numbers and Social Security numbers.
Extortion Attempt

*DeepDotWeb* reports that the self-proclaimed hacker, over an encrypted
<http://www.healthcareinfosecurity.com/encryption-c-209> Jabber
conversation, told the news site he used "an exploit in how companies use
RDP
<http://www.healthcareinfosecurity.com/compromised-rdp-server-tally-from-xdedic-may-be-higher-a-9218>
[remote desk protocol]. So it is a very particular bug. The conditions have
to be very precise for it."

The hacker is selling each of the databases for prices ranging from 151 to
607 bitcoins, according to *DeepDotWeb*. The news site says the hacker
provided it with images of the hacked databases, with all the identifiable
information redacted "so the target company can remain anonymous for now."

The hacker also left a note on the dark web that appears to indicate that
the attacker attempted to extort payments from the healthcare entities
before putting the data up for sale on the darkweb, according to
*DeepDotWeb*.

"Next time an adversary comes to you and offers you an opportunity to cover
this up and make it go away for a small fee to prevent the leak, take the
offer. There is a lot more to come," the hacker warns, according to the
*DeepDotWeb* report.

Monetizing a security breach by asking for "hush money" is a classic ploy,
says researcher Stephen Cobb of security services firm ESET. "If the
attacker gains access to a sensitive database, his top three options to
make money are to ransom it, sell it on the black market or simply ask for
money to keep quiet," he says. "In this case it looks like the hush money
request did not work out, hence the offer for sale."
Records for Sale

The sale of health information on the dark web is commonplace, research
organizations and law enforcement agencies have confirmed in numerous
reports, notes Mac McMillan, CEO of the security consultancy CynergisTek .

"Once information has been stolen, it can be resold over and over again,
which is why healthcare information is so valuable and at the same time so
dangerous - it's not perishable."

So, if an entity is breached and data stolen, "there is a good chance it
will be sold," McMillan says.

Organizations that get a warning from hackers or other third-parties about
their stolen data purportedly being for sale on the dark web should
immediately conduct a forensics examination to determine whether the report
is accurate and the data is authentic and contact law enforcement
authorities, McMillan says.

To prevent this kind of data theft, McMillan advises healthcare entities to
"eliminate passwords as a single factor for authentication
<http://www.healthcareinfosecurity.com/authentication-c-206>, encrypt your
data and employ data loss protection [technology] to identify other
instances of the information, like the Access database, and stop the
exfiltration of the information."
Not Just Hacker Breaches

But it's not only breaches
<http://www.healthcareinfosecurity.com/breach-response-c-324> involving
hacker attacks that can result in health data being sold on the dark web,
warns Ann Paterson, senior vice president and program director of the
non-profit coalition Medical Identity Fraud Alliance.

"While MIFA doesn't delve into the dark web, we don't take for granted that
lost data, whether through malicious hacking or inadvertent loss such as a
lost laptop <http://www.healthcareinfosecurity.com/mobility-c-212>, is
immune to being sold on the dark web. Such cases are not surprising, since
those who work in this area understand that selling protected health
information is lucrative - it's one of the drivers why this type of crime
is growing."

Paterson advises healthcare entities that experience PHI data loss to work
with law enforcement and cyber investigators to try to determine if the
data has made its way to the dark web. "However, this is often difficult to
determine, since data may not be advertised immediately after the loss
happens. Fraudsters often 'sit' on the data for a while before attempting
to sell it."

Consumers also need to become more educated about the details of medical
identity theft and fraud to understand how they might be affected when
their PHI is compromised, she says.

"As a society, many of us are experiencing 'data breach fatigue' and may
not be paying as close attention to the potential fraud threats when we've
been part of a breach. This is dangerous, since there are plenty of
indications that PHI is being bought and sold for fraudulent
<http://www.healthcareinfosecurity.com/fraud-c-148> purposes."

And although the owners of the three healthcare databases reportedly being
sold on the dark web haven't yet been publicly identified, affected
healthcare organizations can often recognize if any of their stolen data is
showing up on the dark web, McMillan says. "These records should be an
exact match for ones in someone's system," he says. "They should be able to
search their system and match them."

But Cobb says confirming the source of stolen data appearing for sale on
the dark web can be complicated.

"This can be quite difficult, given that records for one patient may be in
dozens of databases belonging to different participants in the highly
complex U.S. healthcare delivery and reimbursement system," he says.
"Sometimes the seller will reveal the data structure or the database
software in which the records were stored, but again, this is not
necessarily conclusive, since many institutions use the same software. If a
seller has logs of the breach activity, this would be more conclusive, but
the seller might not have these and may not be the original breach
[source]."

And the same data may be breached numerous times, by multiple attackers,
using either the same or different attack vectors, Cobb notes,
"particularly if the target organization is not closely monitoring for
attacks."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160627/87f83579/attachment.html>