HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Another Hacked Healthcare Database Listed for Sale: Some Victims Confirmed

The listing of three healthcare databases containing 655,000 healthcare records in late June was followed by a posting of a much larger health insurer database containing 9.3 million records. Now, a fifth database has been offered for sale. The latest batch of healthcare data contains 23,565 patient records. The latest database was obtained by the hacker TheDarkOverlord “through the token impersonation of an employee.”

The organizations whose data have been listed for sale have not come forward and confirmed that they are the victims, although further information has emerged linking two organizations to the latest breaches.

After performing some investigative work on the samples provided by the hacker to confirm authenticity of the stolen data, Databreaches.net was able to determine that the database containing 48,000 records most likely came from Midwest Orthopedic Pain & Spine. This batch of data was initially claimed to have come from a healthcare organization in Farmington, Missouri. The DarkOverlord has since confirmed that the data came from the Scott A. Vanness-owned orthopedic clinic.

The largest database from the initial set of three that were posted on TheRealDeal darknet marketplace contained 397,000 patients’ records. The hacker indicated in the listing that the data had come from an Atlanta, Georgia-based healthcare organization.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

This database was linked to the Athens Orthopedic Clinic. While the clinic has not confirmed that it was the victim, after being contacted by Databreaches.net, the CEO of the Athens Orthopedic Center did confirm that an email had been received from a hacker claiming data had been stolen. The notification has prompted an internal investigation at the clinic.

It is currently unclear who the other victims of the breach are. They include the health insurer from which 9.3 million records were stolen, the latest victim from whom 23,565 records were taken, and the central/Midwest organization that had 210,000 patient records stolen.

It is possible that there may be further postings of data to come and more healthcare organizations may discover they have been hacked and their patient data stolen. Databreaches.net’s Dissent Doe chatted with the hacker regarding the attacks, and in her post on The Daily Dot, she said she asked the DarkOverlord how many healthcare databases had been stolen. “A number that is large and sad” was the answer provided.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.