A hacker who claims to have obtained more than ten million health records is selling the data to the highest bidder on the dark web.
The seller, who goes by the name “thedarkoverlord” began listing the data over the weekend, but could not be immediately contacted on Monday.
The largest batch of data, which the seller claims to contain a little over 9.2 million health insurance records from US patients, is on sale for 750 bitcoins. At Monday’s rate, that’s about $486,000. The data includes names, addresses, emails, phone numbers, dates of birth and social security numbers.
We couldn’t verify the authenticity of the data contained in the seller’s ad. The seller did not have any points to their name, unlike other known hackers, indicating that they are new to the site. News site Motherboard contacted some users who confirmed that their data was in a sample that was received.
The hacker said the data was stolen by exploiting an disclosed zero-day flaw in the remote desktop protocol (RDP), which can allow a user to remotely view another user’s desktop.
It’s not all that surprising, given that earlier this year a hacker exposed thousands of insecure desktops that anyone can remotely view, thanks to poorly-configured remote desktop software. In one case, we were able to see a computer used in a pediatricians’s office, which contained personal details on hundreds of patients.
Another batch of data includes 207,000 records from an unnamed healthcare organization in the US midwest region, on sale for 170 bitcoins (about $110,100 at the time of writing).
The seller also claims to have close to 397,000 records from members in Atlanta, Georgia — most of which are from Blue Cross Blue Shield and United Healthcare, which is being sold for 300 bitcoin (or about $194,000).
Another smaller batch contains records on 47,800 members from Farmington, Missouri, which is on sale for 60 bitcoins (or about $39,000).
The hacker said in one listing that the data was stored on an “accessible internal network” and stored in plaintext — which if true would be in violation of federal healthcare privacy rules. Another database was allegedly stolen from a Microsoft Access database.
It’s not clear where the data came from, but healthcare providers and hospitals have been increasingly targeted for customer and patient data in recent months. Anthem was notably hit last year, in which hackers took off with over 80 million records.
According to recent data, the healthcare industry tallies up as the highest cost of a data breach per record.