Hacker Offers 655,000 Stolen Health Records for Sale

  • By
  • In AAPC News
  • July 21, 2016
  • Comments Off on Hacker Offers 655,000 Stolen Health Records for Sale
Hacker Offers 655,000 Stolen Health Records for Sale

The Centers for Medicare & Medicaid Services (CMS) recently learned of a potential security breach in which a hacker is offering for sale 655,000 records of orthopedic patients, according to an MLN Matters Special Edition Article (SE1616).
A hacker that goes by the name “thedarkoverlord” claims to be in possession of the healthcare records, according to HotHardware. The breach was first reported by DeepDotWeb, which has exclusive screenshots of some of the records provided by “thedarkoverlord” to prove the legitimacy of his dastardly deed.

Hacker Hits Midwest, Georgia

The stolen records span much of the country, with 48,000 coming from Farmington, Missouri (later revealed to be from Midwest Orthopedic Clinic); 210,000 from the Central/Midwest states; and 397,000 from Georgia, reports HotHardware. The records include Social Security and insurance policy numbers. The hacker is reportedly selling the records for Bitcoins, at a U.S. dollar equivalent of approximately $1 per name.
The hacker himself requested DeepDotWeb add a note to their online report, directed to the breached companies:
“Next time an adversary comes to you and offers you an opportunity to cover this up and make it go away for a small fee to prevent the leak, take the offer. There is a lot more to come.”
Of course, HIPAA-covered entities put a lot more on the line if they kowtow to such threats. “What we can hope for at this point is that the affected hospitals (and patients) get notified about the breach as quickly as possible,” writes HotHardware reporter Rob Williams.

CMS Reacts

Meanwhile, CMS reminds HIPAA-covered entities of their duty to notify the Secretary of the U.S. Department of Health and Human Services if a breach of unsecured protected health information belonging to them or a business associate is discovered. See 45 CFR Section 164.408 for breach notification guidelines.
Two days after this story broke, DeepDotWeb reported the “thedarkoverlord’s” claim of hacking into a U.S. healthcare insurance database containing no less than 9.3 million patient records.

Renee Dustman
Follow me

About Has 817 Posts

Renee Dustman, BS, AAPC MACRA Proficient, is managing editor - content & editorial at AAPC. She holds a Bachelor of Science degree in Media Communications - Journalism. Renee has more than 30 years' experience in journalistic reporting, print production, graphic design, and content management. Follow her on Twitter @dustman_aapc.

Comments are closed.