A hacker who goes by the name "TheDarkOverlord" is selling more than 650,000 patients' healthcare records on the dark web. Motherboard reports that TheDarkOverlord obtained access to three separate databases containing the records by first exploiting an unknown vulnerability in how certain companies implement remote desktop protocol (RDP), which tech support technicians commonly use to gain remote control of a computer. After gaining access to the companies' computer networks, the hacker moved laterally "until [he] got to the juicy machines running their electronic health systems." The hacker didn't immediately put the records up for sale. Instead he contacted each of the affected companies and said he would disclose the bugs that granted him access for a price. When the companies refused, TheDarkOverlord decided to sell all three databases on The Real Deal, the same dark web marketplace where a hacker named "Peace" first put up a database of 167 million LinkedIn accounts exposed in the 2012 LinkedIn data breach for sale back in May.
A screenshot of a patient's healthcare records provided by TheDarkOverlord. (Source: DeepDotWeb) According to DeepDotWeb, the first database consists of 48,000 patients' records stolen from a healthcare organization located in Farmington, Missouri. The other two databases are considerably larger. One originates from an organization located in Central/Midwest United States and contains 210,000 records. The other database consists of 397,000 patients records and comes from the state of Georgia. The three databases range in price from over 100,000 USD to more than 400,000 USD. Each of them are in plaintext and contain several pieces of patients' personal information. TheDarkOverlord also had a message for companies that decline offers from mysterious hackers:
"Next time an adversary comes to you and offers you an opportunity to cover this up and make it go away for a small fee to prevent the leak, take the offer. There is a lot more to come."
As of this writing, the hacker claims to have sold approximately 100,000 USD worth of records from the Georgia data dump after someone decided to allegedly buy up all of the BlueCross BlueShield insurance records specifically.