The famous American criminal Willie Sutton was asked once why he robbed banks, to which he is reported to have answered, “Because that’s where the money is”. In similar fashion, cybercriminals such as a hacker group that calls itself “TheDarkOverLord” could be asked why they continued to breach a series of healthcare organizations throughout 2016. They would have probably replied, “because that’s where the personal information is, and personal information equals money!” In fact, it is estimated that personal information is worth ten times more on the black market than a credit card number. As Paul Syverson, Co-creator of the Tor web browser says, “Your medical records have bullseyes on them.”
2016 kicked off with a much publicized ransomware attack on the Hollywood Presbyterian Medical Center in February. The attack was initiated in response to an employee clicking a link in a phishing email which downloaded a malware ransomware application that quickly infiltrated the enterprise. The attack proved highly successful, encrypting endless files and forced the IT staff to shut down the network. The hospital was forced to divert hundreds of patients to nearby hospitals and cancelled most treatments. On top of that, the radiation and Oncology departments were shut down completely. After failing to recover from backup, hospital administration finally relented and paid a ransom in bitcoin of around $17,000.
2016 has seen an unprecedented number of attacks on healthcare facilities including hospitals, clinics and insurers. Though the PMC attack garnered a lot of press, the attack had been preceded by similar ransomware assaults on Lukas Hospital, based in Neuss, Germany, on February 11th. Another attack prior to that involving a Methodist Hospital in Henderson, Kentucky forced the entire facility to shut down for the weekend. All in all, 14 hospitals have been the targeted victims of ransomware this year, the most recent being Keck Medical Center of USC and New Jersey Spine Center which not only endured encrypted electronic health records, but its backup files and phone system as well.
Cyberattacks on health organizations, however, are not just limited to ransomware. According to an IBM study in 2016, healthcare is the number one industry when it comes to its records being breached, with one in three healthcare records being compromised in some fashion in 2015. The summer of 2016 resulted in a hotbed of attacks, many of them implemented by one organization in particular that is named after a comic book villan, TheDarkOverlord. Whether simply one individual or a group of collected hackers this notorious enterprise, once famous for ransomware attacks, has now garnered a reputation across the country for its ability to easily breach healthcare organizations. Their initial efforts in June were impressive.
- 48,000 patient records from a clinic in Farmington, Missouri, United States. The records were acquired from a Microsoft Access Database in plain text.
- 210,000 patient records from clinic in the central Midwest United States that was captured in plain text. The records include Social Security numbers, first and last names, middle initial, gender, date of birth, and postal address.
- The largest breach was a database of 397,000 records from a large clinic based in Atlanta, Georgia which included primary and secondary health insurance and policy numbers. Like the other incidents, the data was not encrypted.
In all three incidents, a representative of the DarkOverLord contacted the targeted organizations, informing them of the breach as well as its demands. Samples of the stolen records were also posted on a site called the RealDealMarket, an unscrupulous site on the dark web where cybercriminals sell everything from stolen credit cards to drugs. TDO asked for $1 per record from each of the organizations with each one assigned a separate timeline. To date, none of the affected organizations have paid the ransom. The determination to not pay the ransom though has not alleviated them from taking a large financial hit. In the case of the Georgia based orthopedic clinic which incurred the largest breach, the bills for this breach continue to mount. The clinic was forced to hire a public relations firm to overcome the damage to their reputation in the area and to calm the fears of their past and current customers. Some patients have left and a class action lawsuit is rumored to be pending. Moreso, they have spent nearly $100,000 on a security audit to shore up their defenses to ensure it never happens again.
The exploits of TDO, however, haven’t stopped. Shortly after that quick series of attacks, TDO struck again, this time acquiring 9.3 million records from a major health insurer. The one bit of good news is due to the culmination of attacks by TDO and others, the price of electronic healthcare records has gone down from $75-$100 to $70-$50 because of the ease of breaching patient records. This may be why TDO has apparently moved on from the healthcare field for the time being. Last month it successfully directed its efforts at West Park Capital, a California investment bank. Since the attack they have been releasing personal files of the firm’s CEO as proof of their breach. In late 2016, they levied an attack on the family run Gorilla Glue Company which involved 500 GB of research and development materials, intellectual property and product designs, and access to Dropbox and personal email accounts. Healthcare administrators and IT leaders can only hope that more hackers lose interest in attacking their industry.