Historical Perspective on Dark Web Sale of 10 Million Health Records

Coinciding with the dark web sale of almost 10 million patient healthcare records, Panda Security has released a report (PDF) detailing the evolution of healthcare attacks over the last 10 years. It starts with isolated data thefts; progresses to large scale cyber thefts and now targeted ransomware attacks; and points to the possibility of both local and worldwide attacks on healthcare interconnected devices from pacemakers to medication delivery systems.

Healthcare has become the single most attacked industry sector. “According to the Office of Civil Rights of the United States,” notes the report, “during 2015 there were some 253 security holes in the healthcare sector which affected more than 500 people with more than 112 million records stolen.” One of the problems, suggests Panda, is healthcare’s traditional total focus on its patients. “We find ourselves with a technologically advanced industry with neglected IT security, and that is extremely disturbing.”

It’s against this background of somewhat neglected security that two separate factors motivate the criminals. The first and continuing wave of attacks is to steal patient records. “Medical information is very valuable and highly sensitive, so whoever controls this data can strike it rich,” notes the report. This is clearly seen in the price tag put on stolen health records.

There are four separate healthcare databases being offered for sale on the dark web. One of them purportedly contains the health records of 397,000 patients in Atlanta. In conversation with The Daily Dot, the hacker (aka TheDarkOverlord) confirmed Panda Security’s suggestion that healthcare is often poorly protected: “This product is a very large database in plaintext from a healthcare organization in the state of Georgia. It was retrieved from an accessible internal network using readily available plaintext usernames and passwords.”

The price tag he has placed on this database also confirms the value of medical records: $400,000. Compare this to a price tag of around $3000 for 427,000,000 MySpace records just two months ago (May, 2016). Quite simply, medical records are far more valuable, and therefore attractive, to the cyber criminal.

Andrew Patel, senior manager, technology at F-Secure, explains. “Essentially, PII is more valuable than credit card data, since it can’t easily be canceled. This data can be used to create fake IDs to buy medical equipment or drugs that can be resold, to file made-up claims with insurers, or simply to open bank accounts or apply for credit cards.”

“Medical records,” notes the Panda report, “contain a large amount of personal information, which might be used as the master key to carry out future targeted attacks.” A savvy user might take great care not to leave PII on the internet; but it cannot be kept out of medical records.

“The records reportedly include enough data to implement a wide range of scams based on identity theft (opening bank accounts and establishing lines of credit, insurance scams, taking out loans),” ESET senior research fellow David Harley told SecurityWeek. He added that given the common habit of re-using passwords, if the victims’ login details really were stored in plaintext, “it’s likely that their accounts on other sites have also become more vulnerable if sold to other criminals.”

The hacker in this instance made another interesting comment to The Daily Dot: “Next time an adversary comes to you and offers you an opportunity to cover this up and make it go away for a small fee to prevent the leak, take the offer. There is a lot more to come.” The implication is that after stealing the data, his first attempt was to use it for ransom purposes to get the health authority to ‘buy’ back its own data. Clearly, that health authority declined.

‘Ransom’ is the second motivating factor noted by the Panda report for increasing attacks on the health sector. Over the last year it has become clear that hospitals are being particularly targeted by ransomware. Panda gives examples of two particular US hospitals that were hit, and paid up: the Hollywood Presbyterian Medical Center (thought to have paid $17,000); and the Kansas Heart Hospital (where the hacker demanded a second payment that was then declined).

The worrying factor in this evolution of healthcare attacks is the worsening morality of the attackers. If you steal PII you can seriously affect the financial and emotional state of the victim – but if you shut down a hospital’s computer systems you can indirectly threaten the lives of the patients.

It gets worse with the final section of the Panda report. This looks at direct attacks against specific medical equipment. Researchers have already demonstrated many different vulnerabilities: Richard Rios, for example, has “identified more than 300 vulnerable devices in some 40 different companies.” As soon as cyber criminals find a way to monetize this type of attack, it will not be hospitals held to ransom, but the lives of individual patients.