Dedicated to providing the latest
HIPAA compliance news

Mental Health Histories and Therapy Session Notes of 3,000+ Patients Sold On Darknet

Share this article on:

Databreaches.net has discovered a healthcare data breach of more than 3,000 records. Those records appear to have been sold by the hacker responsible for the attack via a darknet marketplace. The records contained health and mental health histories and therapy session notes from 2007 to present.

In total, more than 4,500 patient records were obtained by the hacker, which related to ‘3,000-3,500’ unique individuals. The records included names, addresses, phone numbers and employer details along with SSNs, dates of birth and the names of patients’ physicians.

Worse still, the records contained complete family histories, details of substance abuse, legal histories, health and mental health histories, and detailed ‘complete’ notes of therapy sessions spanning several years.

The individual responsible for stealing the information listed the records for sale on a darknet marketplace advising potential buyers that the records contained “Everything confessed/discussed in complete privacy is in here for thousands of patients.”

The complete set of data was listed for sale for a minimum price of $10,000 and was allegedly sold to one individual. The seller suggested the records could be sold back to the organization from where they were stolen.

It is not clear how the records were stolen, although the seller claims the healthcare organization had ‘not-so-great network security. Databreaches.net was able to identify the source of the data and alerted the organization – Behavioral Health Center in Bangor, Maine. The health center has launched an investigation into the breach and will notify affected patients in due course.

The report of the discovery can be viewed on this link.

Author: HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines.

Share This Post On