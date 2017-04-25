Healthcare records for sale on Dark Web

A clinic in Baltimore is just one example of a healthcare provider having its records stolen.

Last August a Baltimore substance abuse treatment facility had its database hacked. Patient records subsequently found their way onto the Dark Web, according to DataBreaches.net. The group noticed such things as dates of admission, whether the patients are on methadone, their doctors and counselors, and dosing information.

In the DataBreaches.net blog, the hacker “Return,” who they think is Russian, described how he compromised the Man Alive clinic: “With the help of the social engineer, applied to one of the employees. Word file with malicious code was downloaded.”

The sample provided by Return consisted of 727 pages of unredacted patient profiles containing personal and treatment information on 633 patients, Databreaches wrote.

Flashpoint ‘s Director of Research Vitali Kremez said healthcare records have historically been a key economic driver of the Dark Web economy for many years due to the fact that they are such a rich source of very specific and in some cases immutable personal information that can be used to initiate many types of fraud – from insurance, to identity and tax fraud. These types of fraud cost taxpayers billions of dollars annually according to the FTC.

Kremez said the initial attack vector appears to be a vulnerable Remote Desktop Protocol (RDP) server belonging to the Baltimore clinic. In this case, Flashpoint saw complete patient information stolen from a clinic in Baltimore, over 43,000 records, offered at a price of $300 — or less than one cent per record.

The Identity Theft Resource Center reported that there were 355 breaches in 2016 affecting 15 million records. 2016 was a record year for US Healthcare breaches – affecting hospitals, dental clinics, and senior care facilities, among others -- with the top 10 breaches netting criminals in excess of 13 million records, and the Dark Web literally flooded with "fullz" (full packages of personally identifiable information) as well as patient insurance information.



Flashpoint

“So much so was the glut that extensive Flashpoint Dark Web research saw fullz actually commoditizing and the value of individual fullz decreasing. While Flashpoint has observed actors offering medical data for a bulk price of $7 per record, the industry standard for the value of an individual record is now at $0.50-$1,” Kremez said.

He said information like birthdates, Social Security numbers and driver’s license information are used to fill out, submit and validate any number of fraudulent accounts or transactions – such as income tax filing, financial aid applications or insurance claims. Marital status or emergency contact and employment information can also be used to guess security validation or password reset questions. And email addresses or phone numbers can be used to evade anti-fraud mechanisms such as PIN systems or multifactor authentication.

