655,000 Healthcare Records Being Sold on Dark Web

The hacker selling upwards to 655,000 healthcare records on the dark web obtained them after exploiting a vulnerability in how companies implement RDP.

A hacker selling upwards to 655,000 healthcare records on the dark web allegedly obtained them after exploiting a vulnerability in how companies implement remote desktop protocol, or RDP, functionality.

The hacker, who goes by the handle “thedarkoverlord,” allegedly penetrated three healthcare organizations and made off with a database from each, according to Deep Dot Web, who reported the news over the weekend.

One database comes from a healthcare facility based in Farmington, Missouri and appears to contain plaintext information on 48,000 patients.

“It was retrieved from a Microsoft Access database within their internal network using readily available plaintext usernames and passwords,” the attacker told the site on Sunday.

The second two databases are much larger – 210,000 patients and 397,000 patients – and come from an organization in the Central/Midwest United States and another in Georgia. Like the former, both databases are said to be in plaintext. The Georgia database was accessed via a network through plaintext usernames and passwords while the Central/Midwest U.S. database was retrieved the same way, but also by exploiting a misconfigured network.

The hacker apparently decided to sell the information shortly after contacting the companies. When asked if they’d pay him to divulge how he was able to secure access to the information, they refused. In response the hacker is selling the information for a hefty cost; the databases range in price, from 151 BTC, roughly $100,000, to 607 BTC, roughly $395,000. The information is for sale at TheRealDeal, the the same underground marketplace that the hacker ‘Peace’ sold stolen login information from social networks VK.com and Myspace.com on earlier this year.

The hacker claims to have already sold $100,000 worth of records from the Georgia database – information that apparently belonged to a Blue Cross Blue Shield regional office – according to a Tripwire blog about the hack.

Details around the specific RDP vulnerability the hacker used are unfortunately few and far between. The protocol allows remote display and input capabilities and is usually used so tech support can access computers. In May attackers targeted corporate networks running Internet-available RDP servers. After locating them, they brute forced the servers with weak passwords to spread the Bucbi ransomwareA few years ago a botnet made the rounds that also specialized in brute-forcing. It targeted poorly implemented RDP setups that stored payment card information.

According to experts the hacker’s actions could serve as a blueprint for the future of ransomware.

“This is the next stage of ransomware, in which the attacker is mitigating the risk of the victim restoring from backup by keeping a copy of the private data,” including Travis Smith, a senior security research engineer with Tripwire said Monday.

“Now the victim may have to make decisions on paying not only to recover their data, but to prevent it from being leaked externally. For businesses, this could mean fines and diminished reputation from the breach. For consumers, this could be private or damaging information,” Smith said.

Smith points out that while a lot of the buzz around ransomware is based around recovering data, more incidents like this could shift the paradigm and force companies to focus more on prevention.


Suggested articles


  • brian on

    No mater how good security is (not good here but) hackers will always find a way in. However this crime is only made possible (or least the profit part of it) by the use of untraceable crypto currency such as bitcoins. Given the amount of effort ordinary folk have to go through to prove money is theirs etc. when buying house, car etc., its time for crypto currencies to come under the same level of control, or their use made illegal. Would make this type of crime and ransomware unprofitable. It might even do more to curb terrorism and crime than any FBI 'no warrant' searches, massive surveillance etc! Plus who could object on reasonable grounds to it?
    • Jason on

      While crypto currency might make committing crimes easier, it certainly isn't responsible for the crimes, nor would it make them unprofitable. Further, bitcoin transactions done wrong can potentially be traced so laundering practices are used to attempt to hide/obfuscate transactions -- sound familiar?
    • Rob on

      Crypto currency is not untraceable. The amount of illegal data and drugs exchanged for "real" money dwarfs that exchanged for Bitcoin, so let's not blame the currency for enabling illegal activity.
    • Alex on

  • Dana on

    What is the name of the Midwest organization?
  • InformedLibertarian on

    Brian, you are incredibly ignorant. These crimes would take place whether they get paid via Bitcoin, moneygrams or pre-paid VISA cards (which is what they used to use). Don't try to use crap like this as an excuse for more government oversight.
  • Ron on

    This story is about 24 hours old, The hacker has released more. The count now is about 9.3
  • kevin on

    People seriously need to stop putting private information online. The solution to all of these hacks is the same. You must force anyone who wants the data to enter the building and stand in front of the computer / filing cabinet, etc etc etc. In this day and age of daily hacking reports in the post Edward Snowden era , you are insane for putting any kind of private information on an internet connected machine.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.