We first talked about the sale of PHI on the darknet in Ep 62. Now, more information is coming out about the healthcare hack and it gets more unfortunate for patients every time we read more. Deep Dot Web first broke the news. Then, we picked it up on Data Breaches.net because they were trying to figure out who the entities actually were in each case.

HIPAA For MSPs by David Sims Healthcare Hack: PHI For Sale On The DarkNet
00:00:00 00:00:00

What Happened?

From what we can tell, this is the timeline of the healthcare hack:

Jun 26

A hacker or hackers calling themselves TheDarkOverlord (TDO) (some articles use The Dark Lord as the name) posted several complete healthcare databases on the darknet for sale. The sale included over 650,000 patient records. The sale also included samples of data, the description of where it was stolen from, plus a little about how it was done, as seen below:

Specific data breaches

  • Healthcare Database (48,000 Patients) from Farmington, Missouri, United States
    • This product is a considerably large database in plaintext from a healthcare organization in Farmington, Missouri, United States. It was retrieved from a Microsoft Access database within their internal network using readily available plaintext usernames and passwords. I have had access to his system since early 2016. I only started getting aggressive with data collection recently in May and he only knew of my access once I sent him the ransom email. They use a Microsoft Access database – an EHR system called MedTech. Storing plaintext username and passwords all unencrypted, everything.
  • Database (210,000 Patients) from Central/Midwest United States
    • This product is a very large database in plaintext from a healthcare organization in the Central/Midwest United States. It was retrieved from a severely misconfigured network using readily available plaintext usernames and passwords.healthcare hack
  • Database (210,000 Patients) from Central/Midwest United States
    • This product is a very large database in plaintext from a healthcare organization in the Central/Midwest United States. It was retrieved from a severely misconfigured network using readily available plaintext usernames and passwords.
  • Healthcare Database (397,000 Patients) from Atlanta, Georgia, United States
    • This product is a very large database in plaintext from a healthcare organization in the state of Georgia. It was retrieved from an accessible internal network using readily available plaintext usernames and passwords.

TDO means business with this healthcare hack

“There are 396,458 total records involved in the release. The most common Healthcare Insurance is ‘Blue Cross Blue Shield’ and the second most common Healthcare Insurance is ‘United Healthcare’. The plaintext database file is over 200MB in size. Ownership of this database will be exclusive and only a single copy will be sold. This has not been leaked anywhere and it has not yet been abused. If you are interested in purchasing this database and would like to make an offer other than what is listed, send a PM. Only serious offers will be entertained.”

The seller also added a note to the hacked entities:

“Next time an adversary comes to you and offers you an opportunity to cover this up and make it go away for a small fee to prevent the leak, take the offer. There is a lot more to come?

The hacker even posted screenshots showing the systems he had accessed during the healthcare hack.

Jun 28

Just two days later another batch from the healthcare hack was up for sale – this time much bigger from an insurance provider.

  • Healthcare Insurance Database containing (9,300,000 patients records) from United States
    • plaintext contains 2GB database
    • This product is an extremely large database in plaintext from a large insurance healthcare organization in the United States. It was retrieved using a zero day within RDP (Remote Desktop protocol) that gave direct access to this sensitive information.

All sales were to be done in Bitcoin, so the value is really hard to pinpoint. It’s like getting stock in a company not just getting cash these days. The worth of the raw data was probably well over $1 million. Those who purchase the records will then sell them for more than they paid, it is capitalism at it’s purest on the darknet.

Hacker Interviews

The hacker also accepted interviews from reporters on the dark web in secret chat rooms. Statements made in those interviews we pretty specific on how easy it was to carry out the healthcare hack and how much they took.

All hacks were using a zero day vulnerability in RDP to get them inside but then other simple targets were used to get all the data. There were plaintext storage of usernames and passwords, easy to find data bases, and overall vulnerable medical software.

The hacker said, “It was like taking candy from a baby.” He also indicated that someone wanted to buy all the Blue Cross Blue Shield Insurance records specifically.

“Why not just pay?” he said. “Money makes it all go away and it is a modest cost compared to the total financial damage you will suffer if you do not pay to keep it from getting leaked.” He also remarked that, “we are just getting started.”

Jun 29

An article was published by a journalist who was focused on how the hacker got in when they targeted a small orthopedic clinic.
The hacker tells me he is trying to obtain a ransom from the clinic. In mid-June, he sent a chilling ransom letter by email to the clinic’s founder, which he provided to me. The ransom note states: ‘We have hacked your network and we have everything, including your valuable electronic patient records.’ The letter is more than 2,000 words long, names family members of the clinic’s founder and includes some of their Social Security numbers. Remember that because we are honest people, nothing will happen to you or anyone you know if you comply with our demands,’ the note reads. ‘Oh and by the way, we advise that you keep all of this to yourself for you and your loved one’s sake.'”

Jun 30

Another interview article was posted about how a hacker is gaming the media to extort his victims. It explains that the releases were done to make sure the entities knew he means business and should be taken seriously. He says that, “there has always been a specific method and plan.” This was his one final attempt to get them to pay up before selling the records. The hacker mentions in the interview that some victims have paid up now. He also says, “The databases that you see listed are ones from victims [who] have either declined to pay or whose deadlines are coming up and need a little pressure put on them.”

In the end, the journalists need to report on it: even when you know you’re being used or played, you can or should still report a healthcare hack.

Jul 12 – 15

At some point during this time another 34,000 records from the healthcare hack were posted for sale from a Bronx, NY entity. The bigger news was that the source code for the HL7 interface engine of an EHR system was published along with all the digital key signatures. The signing key is significant because that means the hacker can push out an update to clients using the software with his code added to their source. The vendor was contacted and said there was no PII or PHI at risk.

In an interview, TDO thought that was funny and said, “Of course not, except when I used their code to find exploits in all their clients…. Also, since I was in their system, I signed a backdoor into their client – because I had access to their certificate signing. It got pushed out in an update a few weeks ago. So yes, no PII/PHI my ass”

Healthcare IT News

Healthcare IT News article says it appears more records and images were stolen during the healthcare hack than previously thought. The article mentions that over 10 million records were stolen because they put them all together. It also adds more details, like that images were also included in the data: medical imaging obtained from exploiting security vulnerabilities in email software that supports HL7 and also organizations connected to the HL7 network“We know he is actively looking for new servers from the healthcare world,” Komarov said, and employing tactics such as mass scanning of servers every day to exploit vulnerabilities and find specific healthcare information to monetize. “He’s not stopping with five or seven victims,” Komarov added. He has more and has consulted with other bad actors for advice for further distribution. That’s what we expect from him.”

What do we know about the hacked entities?

There have been many places that have been affected by this healthcare hack, including:

The insurer data that was posted has not been officially identified, but there is a good chance the data may have been obtained from a BA not directly from the insurer. One article reports, “To make matters worse, ‘TheDarkOverlord’ named two specific victims on his Twitter account, while thanking an Oklahoma City organization for what appears to be compliance with his or her terms. And this morning, he threatened that data of another SRS EHR database from California will be on the market soon.” The twitter account is now deleted.

Is the healthcare hack over?

Many wonder how many databases the hackers are currently sitting on? One article says, “A number that is large and sad.”
**Once again news reports teach us that the time to have your robust data privacy and security program in place and continually monitored was yesterday!**


We have talked repeatedly about asking questions to your vendors. We know vendors get insulted and a bit irritate when you ask but, clearly it has to be done. SRS EHR software was mentioned by TDO. He says, “You should stop using it immediately because it is so open.” But, he has already hacked all the ones he could find.

DISSENT says, “So for now, I guess, unless I obtain any additional details from TDO or the firm, the only thing left to report is to identify the firm. It’s PilotFish Technology in Connecticut, and if you’re a client with EHR records, you may want to activate your incident response team. While I did not see proof that TDO got all EHR records from all clients, TDO claimed that they’ve got them all, and I tend to believe that.”

Pilotfish Technology

Pilotfish Technology makes an interface engine, among other things: Imagine the possibilities of a marketplace where you can freely and easily share, distribute, and publish your eiConsole interfaces, templates and components. Make your interfaces instantly downloadable and available for reuse with just a few simple tweaks. Speed up integration within your ecosystem and collaborate on interface development. Create interfaces that you can license and charge a fee for. The PIE is real and it’s here now. Participating is just a few clicks away and it is FREE! This may be embedded into applications and the users may have no idea at all. ASK your EHR company if they use this tool!

Other vendor issues in recent breaches

Bizmatics, Inc. has been around for 15 years with around 15,000 practices using their apps and Revenue Cycle Management services. They aren’t sure how much the hacker actually obtained, but the practices are announcing it now.

Blaine Chiropractic Center – MN – 1,945 patients – new breach
On May 14, 2016, we discovered unauthorized software installed by an unknown person using a hidden administrator account. During our investigation, it was discovered that the administrator account had been created and subsequently made hidden by our third party software vendor at the point of installation of our patient record software. It is not known whether any patient information was in fact accessed. Information that could possibly have been accessed includes names, addresses, telephone number, email address, appointment activity, clinical care notes, insurance information, and social security numbers.