- Black man films ‘Crosswalk Cathy’ yelling racist slurs at him Tuesday 6:47 PM
- Guerrilla artists turn John Oliver billboard ad into right-wing meme Tuesday 4:20 PM
- Netflix lines up unnecessarily good cast for ‘Green Eggs and Ham’ Tuesday 3:48 PM
- Netflix drops trailer for Mötley Crüe biopic ‘The Dirt’—and the cast is wild Tuesday 3:41 PM
- QAnon’s repetitive posts are alienating even his most ardent supporters Tuesday 3:36 PM
- Noah Cyrus cries on Instagram after Lil Xan’s baby announcement Tuesday 2:26 PM
- The ‘Well yes, but actually no’ meme is here to help you explain things Tuesday 12:07 PM
- Judge orders Roger Stone to appear in court after his Instagram post Tuesday 11:24 AM
- I worked with the migrant caravan—and Trump is the cause of his national emergency Tuesday 11:09 AM
- How to watch Liverpool vs. Bayern Munich online for free Tuesday 11:08 AM
- ‘Patriot Act’ volume 2 proves Hasan Minhaj is the next big star of the news-comedy genre Tuesday 11:01 AM
- ‘Friends From College’ canceled after 2 seasons at Netflix Tuesday 10:53 AM
- Allow your wallet to be your spirit guide during this rad anime sale Tuesday 10:43 AM
- Man stages fake DUI trial to propose to girlfriend, and people are asking why Tuesday 10:40 AM
- Bernie Sanders’ website full of 404s on launch day Tuesday 10:23 AM
655,000 patient records for sale on the dark net after hacking victims refuse extortion demands
The hacker says there is more to come.
For 655,000 patients who were enjoying a quiet Sunday, life may become a lot more complicated. Their personal, medical, and insurance information is up for sale in a forum on the dark net.
Early on Sunday, “TheDarkOverlord” listed three databases for sale on TheRealDeal market. None of the victim entities from which the databases were stolen were named, but the database descriptions included geographic area.
The first database was listed as a “Healthcare Database (48,000 Patients) from Farmington, Missouri, United States.” Priced at about $100,000, the database contains patient information including first and last name; middle initial; postal address; Social Security number; date of birth; gender; marital status; email address; and home, work, and cellphone numbers. The Daily Dot was able to obtain a small sample of unredacted data from this database. Some of the data, such as addresses and phone numbers, were found to be out of date when we attempted to verify the data, but we were able to verify some of it.
The second database was described as “(210,000 Patients) from Central/Midwest United States.” The seller comments, “it was retrieved from a severely misconfigured network using readily available plaintext usernames and passwords.”
Priced at $200,000, this database includes Social Security numbers, first and last names, middle initial, gender, date of birth, and postal address.
The third database was described as “Healthcare Database (397,000 Patients) from Atlanta, Georgia, United States:”
This product is a very large database in plaintext from a healthcare organization in the state of Georgia. It was retrieved from an accessible internal network using readily available plaintext usernames and passwords.
Priced at $400,000, this database contains a lot more fields, including primary and secondary health insurance and policy numbers, in the following format:
/PrimaryHealthInsType, / PrimaryHealthInsCo,/ PRIMINSPOLICYID, / PRIMINSGROUPID, / SecondaryHealthInsType,/SecondaryHealthInsCo, / SECONDARYINSPOLICYID, / SECONDARYINSGROUPID,/ Address1, / Address2,/ Age, / DOB, / CellPhone, / City, / Email,FNameCaps, / MI,LNameCaps, / NamePrefix, / Phone, / WorkPhone, / Sex, / SSNO, / State, / Zip
Those fields don’t tell the whole story, though, about what data the hacker has acquired, as the hacker is in possession of patients’ sensitive medical information as well. According to TheDarkOverlord, the Atlanta entity uses SRS EHR v. 9 software, which, he told the Daily Dot, is very vulnerable. (The Daily Dot is unaware of TheDarkOverlord’s gender and whether there is more than one hacker involved. This article uses the pronoun “he” merely for the sake of simplicity and clarity.)
“I found several exploits to remotely access the SRSSQL servers,” he claimed in a private chat. “It was like stealing candy from a baby.”
All versions of SRS are vulnerable, he claims. “I suggest anyone using an SRS EHR cease activity of it immediately. I have already plundered as many as I could find since I discovered the vulnerability,” he said.
The following screenshots, provided by the TheDarkOverlord to the Daily Dot, give a sense of how much information on any one patient has been stolen. Identifying information was first redacted by the hacker or hackers.
The Daily Dot has reached out to one entity in the Atlanta area that may be the victim entity and have asked them to confirm whether they have suffered a breach. This story will be updated if and when we get a response.
In the marketplace, TheDarkOverlord claims he is attempting to sell only one copy of each database:
Ownership of this database will be exclusive and only a single copy will be sold. This has not been leaked anywhere and it has not yet been abused. If you are interested in purchasing this database and would like to make an offer other than what is listed, send a PM. Only serious offers will be entertained.
Extortion attempt failed
The offer for sale appears to be the result of the victim entities refusing to pay extortion demands. TheDarkOverlord asked DeepDotWeb to add this note to their reporting on the situation:
Next time an adversary comes to you and offers you an opportunity to cover this up and make it go away for a small fee to prevent the leak, take the offer. There is a lot more to come.
In a chat with TheDarkOverlord, he readily acknowledged that he has sought money from the entities. He would not be specific as to how much he had demanded in all cases (other than to say that it was less than $1 million), except in the case of the Farmington victim, where he indicated that he had sought 250 bitcoins, or about $160,000 at current exchange rates. The Farmington victim has until July 8 to pay up or the entire database will be leaked, he says.
When asked for how long he has had access to the Farmington system, TheDarkOverlord told the Daily Dot:
I have had access to his system since early 2016. I only started getting aggressive with data collection recently in May and he only knew of my access once I sent him the ransom email.
They use a microsoft Access database – an EHR system called MedTech.
Storing plaintext username and passwords
Under the federal law known as HIPAA, entities are not required to deploy encryption, but they are required to have technical safeguards in place.
“If the entities pay up, the patient data is not exposed,” TheDarkOverlord told the Daily Dot. “I delete everything I have once a victim pays. I also supply a report regarding the results and the documentation of my attack. A little token of gratitude and support.”
As to the vulnerabilities he has found and used, including a 0-day Remote Desktop Protocol (RDP), TheDarkOverlord has no intention of ever selling those.
“I keep all my exploits private for my own use,” he said. “Never publish it. Perhaps some of the victims know from the reports once they pay.”
So how many databases are they currently sitting on? “A number that is large and sad” was TheDarkOverlord’s answer.
Because the Daily Dot has yet to see proof of some of the claims TheDarkOverlord made with respect to other entities, we are not publishing their names.
As the government has pushed providers into greater use of EMR and interoperability, one can only ponder what TheDarkOverlord also told this reporter during our chat:
“Networking is the downfall of most of my targets.”
Dissent Doe is the pseudonym of a privacy advocate and activist who blogs about privacy issues and data security breaches PogoWasRight.org and DataBreaches.net. Her research on breaches has fueled resources such asDataLossDB.org and InfoisBeautiful, and has served as the basis for a number of investigations by the Federal Trade Commission.
Dissent Doe is the pseudonym of a privacy advocate and activist who blogs about privacy issues and data security breaches on PogoWasRight.org and DataBreaches.net. Her research on breaches has fueled resources such as DataLossDB.org and InfoisBeautiful, and has served as the basis for a number of investigations by the Federal Trade Commission.