Dive Brief:
- A hacker has put the health records of 9.3 million people from up for sale on TheRealDeal market, Fierce Healthcare reported. The records were stolen from four healthcare organizations' databases.
- The hacker claims to already have sold $100,000 worth of records, Computer World reported.
- With incidents of hacking and ransomware growing in the healthcare industry, HHS earlier this month issued recommendations on steps hospitals and insurers can take to protect against cyberattacks.
Dive Insight:
Two days earlier, the hacker announced the sale of records from hospital databases including 48,000 records from a Farmington, MO hospital, 397,000 from an Atlanta hospital and 210,000 from somewhere in a Central/Midwest U.S. hospital. The hacker, who uses the moniker TheDarkOverlord, is asking about $100,000, $400,000 and $200,000, respectively, for the databases.
An additional 750 bitcoins ($485,000) was requested for a fourth datacase from a "large insurance healthcare organization" containing 9.3 million health records.
The records include names, birth dates, social security numbers, addresses, cell phone numbers and insurance policy numbers, as well as personal medical histories. In a private chat, TheDarkOverlord told the Daily Dot that he or she plans to sell only one copy of each database.
In each case, the decision to sell the databases apparently came after the owners failed to meet ransom demands — which is what HHS recommends.
“Paying a ransom does not guarantee an organization will regain access to their data; in fact, some individuals or organizations were never provided decryption keys after having paid a ransom,” the guidance says.
HHS suggests organizations implement a security incident response and business continuity plan and contact law enforcement immediately if a cyberattack occurs. The guidance also poses questions organizations can ask themselves to help prevent ransomware attacks, such as have staff been trained on cybersecurity best practices and has a risk analysis of cyber vulnerabilities been conducted?
HIPAA doesn’t require entities to encrypt data, though they are expected to have technical safeguards in place.
TheDarkOverlord told the Daily Dot that much of the information in the hacked databases was in plain text.