Updated: Records for nearly 10M patients for sale by hacker

UPDATED: Personal information for close to 10 million people is being sold online by a hacker who stole the information from a health insurance database and three hospitals.

On Tuesday, DeepDotWeb reported that a hacker put health records for 9.3 million patients, stolen from a health insurance database, up for sale on TheRealDeal market for 750 bitcoin ($485,000). The same hacker, two days earlier, put records for roughly 655,000 patients across three hospitals for sale online, according to DeepDotWeb and Motherboard.

According to DeepDotWeb 's report of the hospital hacking incidents:

  • 48,000 records were stolen from a hospital in Farmington, Missouri
  • 397,000 records were stolen from a hospital in Atlanta
  • 210,000 records were stolen from a Central/Midwest-based hospital

Records from the Atlanta hack are being sold for “just over 643 bitcoins” ($411,000), according to Motherboard, while those from the Midwest hospital are available for $205,000. Records from the Missouri incident are being sold for $100,000.

The hacker told Motherboard that $100,000 worth of records have already been sold from the Atlanta hospital, saying that “someone wanted to buy all the Blue Cross Blue Shield insurance records, specifically.”

The records include Social Security and insurance policy numbers, as well as names, birth dates and addresses.

The hacker told the hospitals to expect “a lot more,” via a message in DeepDotWeb.

“Next time an adversary comes to you and offers an opportunity to cover this up and make it go away for a small fee to prevent the leak, take the offer,” the hacker said.

Hospitals typically are encouraged to not meet a hacker’s ransom demands in such situations. Case in point, the Department of Health and Human Services, in conjunction with the Departments of Justice and Homeland security, last week published guidance focusing on ransomware in which they advise organizations to not pay a ransom.

“Paying a ransom does not guarantee an organization will regain access to their data,” the guidance states. “[I]n fact, some individuals or organizations were never provided with decryption keys after having paid a ransom. ... Paying could inadvertently encourage this criminal business model.”

In February, Los Angeles-based Hollywood Presbyterian Medical Center paid hackers roughly $17,000 (40 bitcoins) after a ransomware attack left its networks disabled, a move the organization said was “in the best interest of restoring normal operations.”

To learn more:
- read the DeepDotWeb post on the health insurance database hack
- here's the DeepDotWeb article on the hospital hacks
- read the Motherboard post
- check out the guidance