Nearly 10 million patient records have been listed for sale on the darknet this week. The five separate listings on TheRealDeal dark web market, posted by the individual(s) going by the alias TheDarkOverlord, come from a variety of healthcare organizations and geographies. Our expert team of analysts has been monitoring and researching the situation as it unfolds, and we have written this post to update you on what we currently know.
TheDarkOverlord, first began listing patient records on the dark web Sunday, June 26, 2016. Three separate listings appeared for the following:
- 48,000 patient records from the Farmington, Missouri area, offered at BTC 60 (~$38,800) at the time of listing.
- 210,000 patient records from the “Central/Midwest United States”, offered at BTC 170 (~$110,000) at the time of listing.
- 397,000 patient records from the Atlanta, Georgia, area offered at BTC 300 (~$194,200) at the time of listing.
After being alerted to the listings by OWL Vision, our analysts began further research and reconnaissance on the largest of the three caches, the 397,000 records from the Atlanta, Georgia area. Using intelligence from the listing, which included several sample records, an interview with the TheDarkOverlord posted to the DeepDotWeb news outlet, and other sources of information, our analysts identified an organization to whom they believed the data belonged. Sellers often include a few samples from the database so that potential buyers can verify the validity of the data, and this sample data is of great value to security researchers trying to identify and notify breached organizations.
Our analysts made several links between the TheRealDeal listing for patient records from Atlanta, Georgia and other data, and we followed our standard procedure and contacted the healthcare organization to which we believed the data in the listing belonged. We shared what we knew with the organization's CISO, including sample data taken from the listing. After internal investigation, the CISO notified us that they had determined it was not their data.
While TheDarkOverlord alludes to ways in which the data has been accessed, leveraging a vulnerability in Microsoft's Remote Desktop Protocol, we cannot yet substantiate these claims. In an encrypted chat with DeepDotWeb, TheDarkOverlord was quoted hinting at potential ransom campaigns, "Next time an adversary comes to you and offers you an opportunity to cover this up and make it go away for a small fee to prevent the leak, take the offer. There is a lot more to come." We'd like to distinguish this from ransomware; it appears that the hacker(s) has demanded money to remove the listings and to keep quiet regarding the breached organizations (though we have yet to substantiate this claim as well).
On Tuesday, June 28, 2016, TheDarkOverlord listed:
- 9.3 million patient records from "the United States," offered at BTC 750 (~$485,000) at the time of listing.
This listing provided 100 sample records, and both our researchers and researchers at databreaches.net looked into verifying the data. The records appear to be valid, but potentially dated.
On Wednesday, June 29, 2016, TheDarkOverlord listed:
- 34,000 patient records from New York, offered at BTC 30 (~$20,000) at the time of listing.
TheDarkOverlord also took to Pastebin to name a breached organization on Wednesday.
The healthcare provider associated with the Farmington, Missouri listing from Sunday (48,000 records) was named on a Pastebin page. While the page was quickly removed from Pastebin, OWL Vision indexed it, and our analysts could take a look. The page begins with the line, "Scott A. Vanness owns the clinics that service these 499 patients. Midwest clinic groups in Farmington, MO." It subsequently contains 499 patient records, and includes: "Record #, Pat.Act.#, Active, Last Name, First Name, MI, Suf., Address Line 1, Address Line."
The 210,000 record listing from "Central/Midwest United States" was updated to reflect its origin in the "Oklahoma City, Oklahoma, United States." The price on the Oklahoma listing (originally BTC 170) was dropped to BTC 85 (~$57,000), and the price on the 9.3 million record listing (originally BTC 750) was dropped to BTC 375 (~$253,000).
We have been interviewed by multiple journalists this week, and they have all asked the same question, which you are likely wondering as well: Who is this TheDarkLord character?
The dark web, by its very nature, is designed for anonymity. It is intentionally hidden and inaccessible with standard web browsers making it very difficult, if not impossible, to determine the identity of any given user. If someone does not take all precautions while browsing the dark web, it can be possible to connect some or all of the dots. However, we do not know the identity of TheDarkOverlord, as this user is being very careful in operations and communications.
Our team will continue to monitor the listings of these patient records and the actions of TheDarkOverlord.
Follow us on Twitter (@owlcyber) and keep an eye on our blog for updates!