Healthcare Records Sold on Dark Web

A clinic in Baltimore is just one example of a healthcare provider having its records stolen, only to find them for sale on the Dark Web for less than $0.01 per record.  Last August a Baltimore substance abuse treatment facility had its database hacked. Patient records subsequently found their way onto the Dark Web, according to  The group noticed such things as dates of admission, whether the patients are on methadone, their doctors and counselors, and dosing information.  In the blog, the hacker “Return,” who they think is Russian, described how he compromised the Man Alive clinic: “With the help of the social engineer, applied to one of the employees. Word file with malicious code was downloaded.”  The sample provided by Return consisted of 727 pages of unredacted patient profiles containing personal and treatment information on 633 patients, wrote.

Flashpoint’s Director of Research Vitali Kremez said Healthcare records have historically been a key economic driver of the Dark Web economy for many years due to the fact that they are such a rich source of very specific and in some cases immutable personal information that can be used to initiate many types of fraud – from insurance, to identity and tax fraud. These types of fraud cost taxpayers billions of dollars annually according to the FTC.  Kremez said the initial attack vector appears to be a vulnerable Remote Desktop Protocol (RDP) server belonging to the Baltimore clinic. In this case, Flashpoint saw complete patient information stolen from a clinic in Baltimore, over 43,000 records, offered at a price of $300 — or less than $0.01 per record.

The Identity Theft Resource Center reported that there were 355 breaches in 2016 affecting 15 million records. 2016 was a record year for US Healthcare breaches – affecting hospitals, dental clinics, and senior care facilities, among others — with the top 10 breaches netting criminals in excess of 13 million records, and the Dark Web literally flooded with “fullz” (full packages of personally identifiable information) as well as patient insurance information.

health records


“So much so was the glut that extensive Flashpoint Dark Web research saw fullz actually commoditizing and the value of individual fullz decreasing. While Flashpoint has observed actors offering medical data for a bulk price of $7 per record, the industry standard for the value of an individual record is now at $0.50-$1,” Kremez said.

He said information like birthdates, Social Security numbers and driver’s license information are used to fill out, submit and validate any number of fraudulent accounts or transactions – such as income tax filing, financial aid applications or insurance claims. Marital status or emergency contact and employment information can also be used to guess security validation or password reset questions. And email addresses or phone numbers can be used to evade anti-fraud mechanisms such as PIN systems or multifactor authentication.

Flashpoint has also seen the emergence of Health Savings Account (HSA) fraud. While not new, HSA fraud has evolved substantially in credibility, complexity, and frequency since 2016. They are harder to detect as HSA accounts typically have less subscriber and institutional oversight, Kremez reported. In fact, recent estimates suggest that there are more than 20 million existing HSA accounts that hold nearly $37 billion in assets, which represents a year-over-year increase of 22 percent for HSA assets and 20 percent for accounts.

“The healthcare sector remains a highly targeted industry as it offers rich, bundled resources of financial, personal, and medical information that can be exploited and often sold within the Deep and Dark Web (DDW),” he said. Common exploitation vectors remain vulnerable Remote Desktop Protocol (RDP) servers, web application vulnerabilities, and FTP servers belonging to healthcare organizations.

HIPAA Compliance

And, of course, whenever you talk about Healthcare records, you have to pay attention to compliance.

Full understanding and support from the highest levels of management are absolutely critical to the success of any security program, wrote Tracy Reed, CEO of Copolitco, a professionally managed, secure server hosting company that helps companies adhere to the Health Insurance Portability and Accountability Act (HIPAA). Every employee who will interact with the security program must understand the importance of security and adhering to policy.

In addition, the majority of software developers and system administrators are not accustomed to working in an environment containing federally regulated information such as ePHI, Copolitco wrote. Security controls may chafe developers as they have to adjust how they do things. “All companies who have a compliance obligation must remember that the point of HIPAA compliance is to impose a certain level of security, said Reed. “Security is the ultimate goal, not necessarily compliance. Compliance comes as a result of having a good security program. Being compliant does not mean you are secure; it merely means you have ‘checked the boxes.'”

An HHS Office for Civil Rights official stated at the recent HIMSS and Healthcare IT News Privacy & Security Forum in Boston that the organization will be conducting on-site audits of hospitals in 2017 and that OCR is engaged in over 200 audits at the moment. One hundred and sixth-seven are looking at providers, and it sent out 48 to business associates, according to OCR senior adviser Linda Sanches.

Sanches further states that they will be involved in some on-site audits in 2017 and that the goal is to find vulnerabilities that the government is not currently aware of. She pointed out the lack of risk analysis and management as serious issues among covered entities and business associates.

All companies with a compliance obligation must remember that the point of compliance is to impose a certain level of security. Compliance comes as a result of having a good security program. Thus, being compliant does not mean you are secure, Copolitco wrote in its report. There are many things that could still result in a compromise such as an employee accidentally leaking a passphrase by getting his computer infected with malware or a bug in a web application exposed directly to the Internet.

“When thinking about risk, risk analysis and mitigation as it relates to HIPAA compliance, business owners often wonder why they have to worry about security,” said Reed. “Often, their attitude is, ‘Who would want to harm us? We are small and have nothing that would be useful or of value to anyone else.’

She said aside from the threat of federal enforcement action via civil and criminal penalties, healthcare data is often valued for unexpected reasons, including extortion, reputational damage, competitive advantage and more.

Both compliance and security are ongoing efforts. There are always new vulnerabilities discovered, new versions of software coming out, and advances in the state of the art in terms of attacking and defending.
“Prevention, detection and response are the three main components of a sound HIPAA compliance program,” said Reed. “Using secure passwords, keeping systems patched up, and even employee background checks are considered prevention. But since there is no such thing as 100 percent security, we must also plan to detect problems such as intrusions or situations which could lead to intrusion and limit damage. Finally, a plan must be in place to respond to an intrusion to prevent the situation from getting worse and to ultimately resolve the issue.”

To read the entire article go to


Securolytics wants to help protect our hospitals and their patients.  The more we are all  aware of the great threat of cyber data breach, the better. Contact Securolytics now to learn more. Our global team is ready to assist you. We are all motivated by one overriding purpose- to keep organizations and businesses out of harm’s way from cyber criminals and sophisticated hackers.

Share/Follow Us:

Leave a Reply

Your email address will not be published. Required fields are marked *