Hacker puts almost 10 million healthcare records up for sale on dark web

[midian182]

There has been another reported incident of a hacker selling stolen personal information on the dark web. This time, a cybercriminal is offering almost 10 million patient records for around $820,000.

The seller, who calls himself “thedarkoverlord,” started listing the data on dark web black market TheRealDeal over the weekend. There are four databases on offer, which includes patient details such as names, addresses, dates of birth, social security numbers, and health insurance information.

The largest batch, containing over 9.2 million patient records stolen from a US health insurance provider, is on sale for 750 bitcoins, which is around half a million dollars.

The other databases allegedly originate from three different, unnamed healthcare organizations: one in Farmington, Missouri that contains 48,000 records for 60 bitcoins; another in Atlanta, Georgia has 397,000 for 300 bitcoins, and the third in the Central/Midwest US with 210,00 entries for 170 bitcoins.

Thedarkoverlord claims to have already sold $100,000 worth of records from the Georgia database. “Someone wanted to buy all the Blue Cross Blue Shield Insurance records specifically,” the hacker said.

Motherboard was provided with a sample of records from the Georgia database. The vast majority of phone numbers connected to the correct person, and one individual confirmed that their details were correct. Many of those contacted declined to be interviewed.

The hacker said he stole the data using a zero-day vulnerability in the remote desktop protocol, which allows users to control computers from afar. "This product is an extremely large database in plaintext from a large insurance healthcare organization in the United States," the hacker wrote. "It was retrieved using a 0day within the RDP protocol that gave direct access to this sensitive information."

Hospitals and other healthcare providers are becoming an increasingly popular target for hackers. Several hospitals have been hit with ransomware attacks this year, and the nation’s second largest health insurance provider – Anthem – said as many as 80 million personal records may have been compromised during a 2015 security breach.

Permalink to story.

https://www.techspot.com/news/65368-hacker-puts-almost-10-million-healthcare-records-up.html

 

[oldikes]

Because everyone on the dark web will feel like its legit buying healthcare records from an edgy 13 year old "the dark overlord"

All joking asside, this sucks for those ionvolved.

 

[Uncle Al]

A lifetime ban on the child's access to any form of computer, cell phone, or data processing would seem appropriate, after all they have no care of concern for the harm they are causing, why should we care about them?

 

[RustyTech]

I'd love to know when/where a 13 year old had the time and wherewithal to hack a healthcare server with a 0day vulnerability. Lets just ignore the fact that this 13 year old would need knowledge of where these servers are located and the addresses needed to access them.

Heck! lets write off..errr blame all these hacks on those that we know could never have the capacity to pull such a thing off; as they say, ignorance is bliss - even if it's self imposed.

 

[Theinsanegamer]

A lifetime ban on the child's access to any form of computer, cell phone, or data processing would seem appropriate, after all they have no care of concern for the harm they are causing, why should we care about them?

Because such punishment usually backfires? Instead of just banning them from a tool that is becoming crucial to getting a job or paying bills, how about we get him the help he needs, so he can see the error of his ways and change?

If he offends multiple times afterwards, then a ban would be more appropriate, although hard to enforce, but until he has had professional help and a chance to change talking about banning him is a bit of a jump.