A hacker is selling four databases with a total of 10 million medical records of patients of US hospitals on the Dark Web. According to the site Deepdotweb.com, which was able to interview the cybercriminal, the data was stolen via the exploitation of a vulnerability residing on the hospitals’ computer systems.
The hacker, whose identity is concealed under the pseudonym Thedarkoverlord, is offering the four databases separately on the site TheRealDeal, accessible via the TOR network.
The largest database, containing more than nine million individual records alone, is being sold for 750 Bitcoins – nearly 450,000 euros.
The medical records contain highly confidential patient information, such as first and last names, complete address, and telephone number, but also diagnoses, allergies, prescriptions and their frequency.
Each record is therefore worth about 20 euros, an amount which seems rather low considering the amount of information available in these records, compared to a typical “fullz” (credit card, account number and owner information) that is traded for around 30 euros.
Screen shot from the Deepdotweb.com website
The other three databases have a smaller number of records, ranging from 48,000 to 350,000.
Hospitals, easy prey for cybercriminals
Hospitals are regularly attacked by hackers, especially via ransomware, which paralyzes the business of the institutions. In February 2016, a ransomware demanded more than three million euros from Hollywood Presbyterian Medical Center, a sum later reduced to 15,000 euros, ultimately paid by the hospital to unlock its business.
Hospitals are known for using vulnerable machines (Windows XP for example, whose support has no longer been assured for several years), as regularly reported in the trade press.
A US law also obliges health services to make public any data leak involving more than 500 patients – this leak promises to become an additional test for US hospitals, whose reputation for computer security is regularly undermined.