Hacker Offers 655,000 Stolen Health Records for Sale
The Centers for Medicare & Medicaid Services (CMS) recently learned of a potential security breach in which a hacker is offering for sale 655,000 records of orthopedic patients, according to an MLN Matters Special Edition Article (SE1616).
A hacker that goes by the name “thedarkoverlord” claims to be in possession of the healthcare records, according to HotHardware. The breach was first reported by DeepDotWeb, which has exclusive screenshots of some of the records provided by “thedarkoverlord” to prove the legitimacy of his dastardly deed.
Hacker Hits Midwest, Georgia
The stolen records span much of the country, with 48,000 coming from Farmington, Missouri (later revealed to be from Midwest Orthopedic Clinic); 210,000 from the Central/Midwest states; and 397,000 from Georgia, reports HotHardware. The records include Social Security and insurance policy numbers. The hacker is reportedly selling the records for Bitcoins, at a U.S. dollar equivalent of approximately $1 per name.
The hacker himself requested DeepDotWeb add a note to their online report, directed to the breached companies:
“Next time an adversary comes to you and offers you an opportunity to cover this up and make it go away for a small fee to prevent the leak, take the offer. There is a lot more to come.”
Of course, HIPAA-covered entities put a lot more on the line if they kowtow to such threats. “What we can hope for at this point is that the affected hospitals (and patients) get notified about the breach as quickly as possible,” writes HotHardware reporter Rob Williams.
Meanwhile, CMS reminds HIPAA-covered entities of their duty to notify the Secretary of the U.S. Department of Health and Human Services if a breach of unsecured protected health information belonging to them or a business associate is discovered. See 45 CFR Section 164.408 for breach notification guidelines.
Two days after this story broke, DeepDotWeb reported the “thedarkoverlord’s” claim of hacking into a U.S. healthcare insurance database containing no less than 9.3 million patient records.
Latest posts by Renee Dustman (see all)
- OIG Adds Items to Web-based Work Plan - August 15, 2017
- 3-Day Rule Noncompliance Costs NGS and N.E. Providers - August 10, 2017
- CAPG Comments on 2018 QPP Proposed Rule - August 9, 2017