Written by Gal Landesman
We have recently learned of numerous data breaches targeting the healthcare industry that have exposed electronic personal healthcare information (ePHI). Just this month, a Chicago doctor’s email account, holding information on 1,200 patients, was accessed; a stolen laptop and flash drive jeopardized 2,500 patients’ data in Michigan; the investigation of the California Sutherland Healthcare Services data breach revealed that data pertaining to 338,700 individuals has been compromised; and La Palma Inter-community Hospital announced an old case of data breach involving one of their employees who accessed personal information without permission.
We are hearing about such incidents on an almost daily basis. Symantec even named 2013 the year of “Mega Breach”, with more than 552 million identities exposed this year. According to Symantec, the healthcare sector suffered the largest number of disclosed data breaches in 2013. They blame it on the large amount of personal information that healthcare organizations store and the high regulation standards requiring them to disclose data breaches. Still, the healthcare industry is one of the most impacted by data breaches this year.
Targeted data includes health insurance information, personal details and social security numbers. What could really happen if a patient’s personal data falls into the wrong hands?
Such breaches can cost their victims dearly – putting their health coverage at risk, causing legal problems or leading to inaccurate medical records. Attackers could make fraudulent insurance claims, obtain free medical treatment or addictive prescription drugs for personal use or resale.
Cyber criminals are definitely eyeing medical records. These records can fetch about $60 apiece on the black market, according to Norse-Sans that published a detailed report on the issue this February, claiming that such records are even more valuable than credit card information because they present criminals with greater opportunities for exploitation, such as insurance and prescription fraud. Norse-Sans identified a large volume of malicious traffic in their analysis of healthcare organization traffic.
Another example of interest was published by the Wall Street Journal, days before the Norse-Sans report, featuring valuable network information of healthcare facilities that was dumped on 4shared.com (a file-sharing site), including firewall brand, networking switch, Internet addresses of wireless access points, blueprints of the facilities, locations of PCs and printers and encryption keys, usernames and passwords that could be used for network access.
Here at SenseCy, we successfully traced the usage of breached medical information on Underground forums and the DarkNet. The following are some examples of prescription drugs for sale on the Underground:
Someone is offering Clonazepam (Klonopin), which affects chemicals in the brain, for sale:
Another vendor offers different drugs, including ADDERALL-IR, a psychostimulant pharmaceutical drug, and Percocet, a narcotic pain reliever (containing opioid):
Information for sale:
Original prescriptions for sale: