Hacker’s Selling MD Info on the Dark Web
Doctor’s Fall Prey to Hackers
Cristal M Clark
Everything seems to be for sale these days in terms of one’s identity and worldwide, governments are unable to both prevent it, let alone stop it once the proverbial ball starts rolling.
In what some are calling a deeply disturbing new trend, hackers are selling the identities of doctors for $500 on the dark web. The hackers are obtaining all the details needed to pose as a medical professional by targeting, employees, hospitals and other healthcare organizations, which possess all of the highly valuable data. In case you are wondering about the employee bit; employees are every organizations biggest liability and some cases employees are sending information through non secured email channels, texts, WhatsApp, in public and the like. Case in point, Clinica here in Colorado has a rather rampant issue with its medical staff sharing patient records, which include doctor information, utilizing the likes of Gmail rather than its internal email system as reported by employee BB, who is stationed in Lafayette, CO. Then we have as we all should be very well aware of, the hacking into and holding hostage of networks, which of course contain virtually all the needed information. Hackers compromises the corporate network of a healthcare provider to find administrative paperwork that would support a forged doctor’s identity and patient information. A process that becomes even easier once hackers see staff sharing information through non-secured email like in the case of Clinica.
The cyber criminals are then able to use the stolen information to forge the identities of doctors in order to submit fraudulent insurance claims or obtain prescriptions for controlled drugs like opioids that will in turn be sold on the black market or on the streets.
Documents on sale include malpractice insurance documents, medical diplomas, board recommendations, medical doctor licenses, and DEA licenses. This was uncovered by researchers at cyber security firm Carbon Black, who tracked the shifting patterns of cyberattacks towards medical organizations as well as personal medical records and hacked health insurance company login information.
Tom Kellermann, chief cyber security officer at Carbon Black: “This is a relatively new trend, the price is warranted when you consider what can be done with the data. Cyber criminals can use this information to facilitate insurance fraud, as well as submit prescriptions for controlled substances like opioids. These can then be sold on the black market at a steep profit.”
This information is generally cheaper to obtain, with forged prescriptions costing between $10 and $120 on the dark web and insurance login information costing as little as $3.25 per record.
The researchers called for “extreme vigilance” on the part of security teams working to protect healthcare institutions. Which is desperately needed, honestly. The employee who informed me about medical staff sending patient records through Gmail also took it upon himself to share sensitive patient information with me on multiple occasions, the fact that the CFO of the organization fell for an email scam costing the organization thousands, and the inner workings of the software that they utilize. This type of information sharing with anyone is a cybercriminals wet dream if you will.
The world however, as in our worlds governments need to make it easier for all individuals to change ones credentialing if you will once someone’s identity has been compromised, new identification numbers, new licenses, etc. because by default, by keeping all of that information the same and simply flagging it, you still allow for the crimes under which the original licenses, identification numbers were committed, to continue on.
Cristal M Clark