HIPAA is intended to provide guidelines that help medical providers and data handlers protect patient information. The legislation, along with an increased focus on computing security, has increased safety no small amount, but serious threats continue to exist. So do glaring oversights that allow hackers access to data deserving of the most painstaking protection, unfortunately.
In late June, 2016, a hacker known as “TheDarkOverlord” offered to sell three medical databases that contain private information relating to 655,000 American patients. The data provides everything criminals might need for identity theft and more, including medical information, social security numbers, complete contact information and insurance coverage.
Are you scared yet? You should be, whether you’re a provider who handles this kind of information or simply a medical consumer. The three databases, which were listed on dark net forum TheRealDeal, are available with varying asking prices based on their size and degree of completeness:
- For roughly $100,000, you can purchase a database describing 48,000 patients in and around Farmington, Missouri.
- If you want something bigger, how about a Central U.S./Midwestern database of 210,000 patients for $200,000?
- Still not enough? Check out the mother lode: a database of 397,000 patients that offers stunningly complete information gathered by a major Atlanta healthcare organization. It’s listed at $400,000, but represents comprehensive contact and identification data along with primary and secondary health insurance information.
Don’t forget that every purchase includes the sensitive medical information associated with each patient. It might be considered a bargain, really, especially considering that the hacker promises to sell only a single copy.
The Daily Dot, the website that reported the story, has verified the validity of some of the data offered and communicated with TheDarkOverlord, who freely discusses the purchase terms and methods used to access the data. About the Atlanta offering, the hacker says, “This product is a very large database in plaintext from a healthcare organization in the state of Georgia. It was retrieved from an accessible internal network using readily available plaintext usernames and passwords.” Is it Emory, perhaps? Grady? Either way, it’s bad news for providers, patients and insurers.
The healthcare organization from which the data comes uses SRS EHR v.9, according to TheDarkOverlord, who reports that the software has major vulnerabilities: “I found several exploits to remotely access the SRSSQL servers. It was like stealing candy from a baby.”
He or she claims that SRS is hackable in every version and goes on to say, “I suggest anyone using an SRS EHR cease activity of it immediately. I have already plundered as many as I could find since I discovered the vulnerability.”
After accessing the data, the hacker typically attempts to sell it back to the healthcare entity that owns it, only offering it for public sale if the victims refuse the extortion effort. The hacker advises, “Next time an adversary comes to you and offers you an opportunity to cover this up and make it go away for a small fee to prevent the leak, take the offer.”
As galling as this situation might be, that may be good advice. TheDarkOverlord claims, “If the entities pay up, the patient data is not exposed. I delete everything I have once a victim pays. I also supply a report regarding the results and the documentation of the attack.” It’s an expensive lesson, to be sure, but one that protects patient data while pointing out critical vulnerabilities in the organization’s data security system.
Given the severe nature of the threats that come from this kind of vulnerability and the increase in EMR use and interoperability, healthcare providers may be interested in one final bit of advice from TheDarkLord: “Networking is the downfall of most of my targets.”
Protecting patient data is more than a legal and ethical responsibility; it’s a business imperative. This kind of frightening story should inspire a serious examination of security for software, hardware and every other aspect of the data chain.