Cybercriminal TheDarkOverlord stole more patient records and medical images than originally thought, InfoArmor reports

The hacker broke into organizations on the HL7 network, the security firm has found, and has since put those records up for sale on the dark web. The security firm also said TheDarkOverlord is actively looking for more servers to hack in healthcare.
By Jessica Davis
01:25 PM

Cybercriminal ‘TheDarkOverlord’ has gained access to more than 10 million healthcare records and posted them for sale on the dark web, security firm InfoArmor confirmed.

This number has increased from the 9.3 million estimate originally reported at the end of June.

What’s surprising is that he or she has not just stolen personally identifiable information, but medical imaging obtained from exploiting security vulnerabilities in email software that supports HL7 and also organizations connected to the HL7 network, according to InfoArmor’s CIO Andrew Komarov.

[Also: Buyers Guide to intrusion detection and prevention tools]

The concern is many organizations believe this type of data cannot be monetized, Komarov explained. But the hacker is merely looking for the right illicit customer, which can use contact information from the patient data to deceive the victim.

Bad actors, in fact, have attempted to sell more three terabytes of stolen healthcare data, according to Komarov, and the perpetrators have moved from exploiting healthcare organizations - to targeting vendors.

“On all compromised systems, on traditional network encryption, there are no access control mechanisms,” Komarov said. “It looks like the healthcare industry doesn’t understand the full risks in regards to cybercrime.”

In some cases, the hackers also gained access to all data stored in local files or on Microsoft Access desktop databases without special user access segregation and once the host was compromised, the cybercriminal gained widespread access.

To make matters worse, ‘TheDarkOverlord’ named two specific victims on his Twitter account, while thanking an Oklahoma City organization for what appears to be compliance with his or her terms. And this morning, he threatened that data of another SRS EHR database from California will be on the market soon.

“We know he is actively looking for new servers from the healthcare world,” Komarov said, and employing tactics such as mass scanning of servers every day to exploit vulnerabilities and find specific healthcare information to monetize.

“He’s not stopping with five or seven victims,” Komarov added. He has more and has consulted with other bad actors for advice for further distribution. That’s what we expect from him.” 

Sign up for the Healthcare IT News Privacy & Security Update newsletter.  

Twitter: @JessieFDavis
Email the writer:

Like Healthcare IT News on Facebook and LinkedIn