Stolen Patient Records a Hot Commodity on the Dark Web

By Paul Nadrag, Software Developer, Capsule Technologies
Twitter: @capsule_tech

By now, all hospitals and health systems are aware of ransomware-related cyberattacks where a hacker will gain control of a computer network, data center or cloud server and encrypt the data, effectively blocking access until a ransom is paid.

A less immediate, but no less catastrophic, result from such a ransomware attack is where the hackers also steal as many electronic health records (EHRs) as possible to sell on dark web marketplaces. Hackers launching these attacks are not bored teenagers in their bedrooms, but rather sophisticated, international criminal organizations that through the dark web connect with other criminals who profit from stolen records. Cybercrime organizations can sell stolen records for as much as $1,000 each, while credit card numbers alone sell for as little as $5 and social security numbers for only $1 each.

A Treasure Trove of Data
Medical records are also so lucrative on the black market because, unlike credit card numbers, they can never be canceled. If the records are complete, they contain a plethora of data. Available information could include the patient’s medical history, demographics, health insurance and contact information. This data can then be used to support numerous other illegal activities, such as obtaining prescription medications, filing bogus medical claims, or stealing the patient’s identity to open credit cards and fraudulent loans. The hacker organization does not typically commit these secondary crimes on their own. Rather, they tap into a criminal network on the dark web experienced in drug trafficking and money laundering who are eager to buy medical records to support their criminal activities.

Hackers, however, may also retain the records for their own nefarious activities. For example, patients of a large mental and behavioral health practice in Finland this year were blackmailed by a hacker or group of hackers based on records stolen from November 2018 through March 2019. Patients received extortion letters from the cybercriminals demanding as much $240 to keep their information private, an amount which doubled after 24 hours.

The repercussions to the patient could last for years if highly personal information is made public or used to steal one’s identity. Specifically, medical identity theft, which is where a patient’s identity is fraudulently used to obtain medical services or prescriptions, costs $13,500 to resolve, either through paying a provider, insurer or legal services, or all of the above. Victims also spend more than 200 hours trying to repair the damage and securing their information. Forty-five percent of medical identity theft victims surveyed report the crime affected their reputations mainly due to the embarrassment of having their sensitive personal health conditions disclosed while nearly 20% reported they believe the theft caused them to miss out on career opportunities.

Costly to Hospitals
While patients are most personally affected by the theft and sale of their medical record information, the financial and reputational impact is felt by the hospital or health system in several ways:

  • Ransom to hackers: Hospitals either pay the cyberattacker’s ransom or rebuild their systems to regain access to their EHRs and data, neither option being inexpensive. They may not realize until later, however, that the hacker has stolen records as well and is selling them on the black market, which further adds to providers’ costs as detailed below.
  • Remediation costs: The hospital will need to conduct a forensic investigation to determine the extent of the network penetration and/or data breach. Additional training will likely be required as will new technical and procedural safeguards.
  • ID theft protection for victims: Regardless, if records were stolen, any type of cyberattack of the hospital’s EHR requires the institution to offer identity theft protection services for affected patients, which can extend for a year or more. Patients may also file class action lawsuits against the hospital alleging damages due to the ransomware attack.
  • HIPAA investigation and penalty: If a hacker accesses protected health information (PHI), hospitals are required to submit a breach notification to patients, the media and the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR), which enforces the Health Insurance Portability and Accountability Act of 1996 (HIPAA). If it is determined that the hospital violated HIPAA rules and was at fault, OCR can demand monetary penalties of more than $1.7 million along with other corrective actions, depending on the size and nature of the breach.

Protecting PHI at All Points
Cybercriminals most often infiltrate the hospital’s network through a fraudulent email they send to a staff member, containing a link or virus embedded in a computer file. Such attacks against healthcare provider organizations have accelerated during the COVID-19 pandemic as recently as late October, according to a statement from several U.S. government entities.

In some instances, cybersecurity technology can prevent malicious software from gaining control of the hospital’s servers, but the malware may still hijack a connected medical device that operates with dated, unsupported software lacking appropriate security measures.

Protecting these devices, however, is possible by connecting them to a secure clinical computing hub, such as Capsule Technologies’ Neuron. Not only does Neuron encrypt data from devices to prevent unauthorized access, but also effectively shields connected devices from the network, making them invisible to hackers.

An Ounce of Prevention
Cyberattacks can be financially damaging to hospitals, both in terms of money spent and reputational damage, but the impact is most emotionally devastating to patients when their most personal and private information is stolen and sold on the black market. Ransoms paid to hackers, as well as money captured from records sold on the dark web, also fuels these criminal organizations to commit additional attacks against other healthcare providers.

Following best practices and appropriate staff and clinician training will help prevent damage, but hospitals need additional security measures to protect themselves and patients from human error and criminal greed.

This article was originally published on the Capsule Technologies blog and is republished here with permission.