DeepDotWeb reported Tuesday that a hacker put 9.3 million stolen health records up for sale on TheRealDeal market for 750 bitcoin, or $485,000. The hacker, which stole the patient records from a health insurance database just two days earlier, put nearly 655,000 stolen patient records from three hospitals for sale online. DeepDotWeb released a report stating that of the three hospitals, 48,000 were stolen from a hospital in Farmington, Missouri; 397,000 records were stolen from a hospital in Atlanta; and 21,000 records were stolen from a Central/Midwest-based hospital. What’s more, the hacker told Motherboard that $100,000 worth of records have already been sold from the Atlanta hospital and that “someone wanted to buy all the Blue Cross Blue Shield insurance records, specifically.” The records from Blue Cross Blue Shield reportedly contain social security numbers, insurance policy numbers, names, birthdates and addresses – all extremely valuable information on the dark web.
The hacker also insinuated that this situation could have been avoided entirely, explaining that, “Next time an adversary comes to you and offers an opportunity to cover this up and make it go away for a small fee to prevent the leak, take the offer.” In this situation, law enforcement usually recommends that hospitals not meet a hacker’s ransom demands. The Departments of Health and Human Services, Justice and Homeland Security recently published guidelines advising organizations not to pay a ransom and how to handle the situation properly. “Paying a ransom does not guarantee an organization will regain access to their data,” the guidance states. “[I]n fact, some individuals or organizations were never provided with decryption keys after having paid a ransom. … Paying could inadvertently encourage this criminal business model.”