Nearly 10 million medical records have been found for sale on the dark web. A vendor calling itself ‘Dark Overlord' has listed the plaintext 9,278,352 records on dark web vendor, The Real Deal, for 750 bitcoin (nearly £400,000).
Dark Overlord further claims that the records contain names, addresses, emails, phone numbers and social security numbers.
The millions of records were taken using a zero-day within a remote desktop protocol from “a large healthcare organisation in the United States”, according to the vendor's description.
The vendor assures prospective customers that the data has not been leaked anywhere so anyone who buys it will supposedly have a monopoly on the data. According to the outlet which first reported the posting, IB Times UK, the legitimacy of the data has not yet been verified.
The hacker supposedly asked for a fee from the victim, although the victim did not pay up. This doesn't appear to be a ransomware attack according to Ondrej Kubovic, IT security specialist at ESET.
He told SCMagazineUK.com that “The attacker found vulnerabilities in the affected companies' systems that allowed him to get access to the records, then – apparently unsuccessfully – demanded a small fee to prevent the leak' and now he/she is trying to sell the loot on a dark web marketplace. There is no guarantee that the data is genuine, but we can assume that the attacker would not put such a price tag on data he would not be able to prove genuine to a potential buyer.”
The dark web, often confused with the deep web, is the part of the internet not indexed by search engines. This murky realm often comes in the form of private, encrypted
networks which require special software or configurations to access.
As the consumer press so often report, this is an area where illegality thrives. Drugs, arms, fraud services, rentable malware ,stolen property, fake credentials and more can all be found on such networks. It has been the subject of intense interest in recent years from the public, private companies and governments alike.
Medical records have also become a premium commodity in recent years. While credit cards and other kinds of personally identifiable information are the bread and butter of the illegal data market, medical records can offer so much more to the willful cyber-criminal.
According to Ben Johnson, co-founder of Carbon Black, health records can go US$ 10 to US$ 50 (£7.50 to £37) on the black market. Credit card numbers can be sold for a comparative pittance. Moreover, medical records contain a wealth of personally identifiable information of not only the patient but of family members too as well as medical conditions and prescriptions.
Furthermore, hospitals are often easier to get into than one might expect. Brian Spector CEO of MIRACL told SC “Hospital IT systems are notoriously fragmented and complex, with networks crossing wards, laboratories and offices. They are also among the most vital and important in any organisation – because if their systems go down, people's lives may be at risk.”