- A hacker has reportedly stolen the information of 655,000 individuals, and is advertising the information for sale on the dark web, potentially compromising individual’s PHI security.
The hacker goes by the name The Dark Overlord, and claims to have gathered information from three separate healthcare databases, including data such as patients’ names, Social Security numbers, addresses, dates of birth, and other information, according to Motherboard.
A Remote Control Desktop (RCD) at all three of the organizations was reportedly compromised, which is how the hacker came across the information. Approximately 48,000 records are from a facility in Farmington, Missouri, 210,000 are from a company from “Central/Midwest US,” and 397,000 are from an organization in Georgia.
“A modest amount compared to the damage that will be caused to the organizations when I decide to publicly leak the victims,” the hacker explained, adding that $100,000 worth of information has already been sold from the Georgia dump.
The Dark Overlord also spoke to Dissent Doe at the Daily Dot, and stated that the Atlanta entity specifically uses SRS EHR v. 9 software. This is a particularly vulnerable type of software, according to the hacker.
“I found several exploits to remotely access the SRSSQL servers,” The Dark Overlord told Dissent Doe. “It was like stealing candy from a baby.”
All versions of SRSSQL are vulnerable, the hacker added, and that anyone using it should stop immediately.
The attacked entities allegedly refused to pay extortion demands, and so The Dark Overlord posted the information on the dark web.
“Next time an adversary comes to you and offers you an opportunity to cover this up and make it go away for a small fee to prevent the leak, take the offer,” The Dark Overlord said to Dissent Doe. “There is a lot more to come.”
The Georgia database is priced at approximately $400,000, while the Central/Midwest database is marked for $200,000. The Missouri database is being sold for $100,000.
Healthcare data breaches are not a new issue for the industry, but are often becoming increasingly expensive. Specifically, the average cost per stolen record in the healthcare industry is $355, according to the Ponemon Institute, while the average global cost of a stolen record is $158.
"Over the many years studying the data breach experience of more than 2,000 organizations in every industry, we see that data breaches are now a consistent 'cost of doing business' in the cybercrime era," Dr. Larry Ponemon said. "The evidence shows that this is a permanent cost organizations need to be prepared to deal with and incorporate in their data protection strategies."
Data breach detection was another important takeaway from the recent Ponemon report. Breaches identified in less than 100 days cost companies an average of $3.23 million, but breaches that were found after that time cost on average $4.38 million.
A separate Ponemon study also found that the average cost of a data breach for a healthcare provider is around $2.2 million and $1 million for a business associate. Healthcare data breaches have in total cost the industry about $6.2 billion.
Criminal attacks were listed as the top reason behind healthcare data breaches, with half of the participating organizations and 41 percent of business associates stating that cyberattacks were the cause of most data security incidents.