Cyber Criminals Demand Ransom for 655,000 Patient Records

The famous American criminal Willie Sutton was asked once why he robbed banks, to which he is reported to have answered, “Because that’s where the money is”. The statement is apropos to a question that many people are asking in response to the accelerating frequency of cyberattacks on hospitals. Because that’s where the personal information is. Personal information equals money! In fact, it is estimated that personal information is worth ten times more on the black market than a credit card number. As Paul Syverson, Co-creator of the Tor web browser says, “Your medical records have bullseyes on them.”

Therefore, it should come as no surprise to read the numerous headlines in 2016 concerning cyber attacks on healthcare organizations. The year started with a highly publicized ransomware attack on the Hollywood Presbyterian Medical Center in February of this year shut down the hospital for nearly a week until management agreed to pay $17K to the cyber criminals.

Unfortunately, that attack proved simply the opening shot across the bow at the health care industry. Earlier this summer a trio of data breaches culminated in a loot of 655,000 patient records. The breach was discovered when a hacker or hacker group using the name, “The DarkOverLord,” a former ransomware expert who has now chosen pursue the high stakes game of stealing patient health information records or PHI. The breach was discovered when the hacker contacted the three health organization involved to alert them that their patient databases had been captured and that samples had been posted on a site called RealDealMarket, a unscrupulous site on the dark web where cybercriminals sell everything from stolen credit cards to drugs.

The data breach included the following:

  • 48,000 patient records from a clinic in Farmington, Missouri, United States. The records were acquired from a Microsoft Access Database in plain text.

  • 210,000 patient records from clinic in the central Midwest United States that was captured in plain text. The records include Social Security numbers, first and last names, middle initial, gender, date of birth, and postal address.

  • The largest breach was a database of 397,000 records from a large clinic based in Atlanta, Georgia which also included, including primary and secondary health insurance and policy numbers. Like the other incidents, the data was not encrypted.

The DarkOverLord is demanding a ransom of $1 per record from each of the organizations and has assigned a separate deadline to each victimized organization. If his demands are not met by those dates, the records will then be sold to multiple buyers. The hacker claims that he contacted all three organizations prior to stealing the patient records to inform them that he had breached their networks and was asking for funds to inform them of their vulnerabilities but heard nothing. “Next time an adversary comes to you and offers you an opportunity to cover this up and make it go away for a small fee to prevent the leak, take the offer,” The Dark Overlord said in an interview to a news site that reports on the hacking community.

The three attacks all share the same means of incursion as they were affiliated with a third party health care information management application. The hacker was able to infiltrate the vendors network and took advantage of several SQL exploits. The attacker(s) then used a zero-day RDP exploit to gain access to the three clinics.

All three clinics contacted their patients to alert them of the breach and the impending risk of identity theft. In the case of the Atlanta based firm, local police have already begun documenting police reports from patient victims reporting that their credit has been compromised. All three organizations must now suffer major hits to their credibility and reputation and impending lawsuits will undoubtedly be coming soon. According to a study in 2016 by the Ponemon Institute, the average cost per stolen record in the United States healthcare industry is $355 and $158 globally.

All of this points to the importance of encrypting your data, especially in the cloud. The of storing data in the form of plain text is over. No one wants to ever be contacted by a hacker.