This story is over 5 years old.


Things a Criminal Could Do With 9 Million Hacked Health Care Records

A hacker is advertising 9 million records supposedly hacked from a health care insurance database. But what could they actually be used for?
Photo: Shutterstock

What can a fraudster do with medical records stolen from several health care organisations?

Last weekend, a hacker advertised over 600,000 alleged records for sale on the dark web. Then on Monday, the same hacker listed around 9 million supposed health care insurance details.

Those dumps included, among a few other tidbits, Social Security numbers, dates of birth, physical addresses, and victim's full names. Some also include details on health insurance, such as policy numbers, but their medical history isn't being sold, it appears.


But what could a fraudster actually do with that information? Could they monetize it? Simply screw people over? And how has the abuse of this sort of data changed recently?


According to Arian Evans, VP of product strategy for RiskIQ, there's the possibility of medical fraud. An imposter could file fake insurance claims and get reimbursed for medical procedures that were never performed. Although rare, this approach could be particularly lucrative.

"The insurance companies, with established practices of one-day claim payments, could be affected the most," Andrei Barysevich, director of Eastern European research and analysis at Flashpoint, told Motherboard in an email.

The hacker behind the breaches, who goes by the handle 'thedarkoverlord,' told Motherboard that someone wanted to buy all of the Blue Cross Blue Shield Insurance records specifically.

Evans added that someone could obtain medical goods or service in the victims' names, which would taint medical records. Although this might not necessarily end up in a profit for the imposter—it would depend on whether they could get something that could then be sold, perhaps—it might be a good way to screw someone over.


One of the dumps even includes individual victims' doctors.

With that info, a hacker could easily whip-up a legitimate looking email from the health care organisation. It wouldn't be hard to harvest more details or perhaps even credentials from an unsuspecting target.



Armed with your Social Security number, a fraudster could try and apply for credit in your name. As the Social Security Administration puts it, "Then, they use the credit cards and don't pay the bills. You may not find out that someone is using your number until you're turned down for credit, or you begin to get calls from unknown creditors demanding payment for items you never bought."

But, in 2016, it's not really that simple.

"Long gone are the days when cybercriminals only needed valid Social Security numbers and date of birth to obtain a line of credit," Barysevich said.

According to Barysevich, businesses require applicants to confirm other background details, which are only attainable for reputable credit agencies.

Someone wants to buy all of the Blue Cross Blue Shield Insurance records specifically, the hacker told Motherboard

So instead of an easy cash-in, the personal information in these healthcare dumps "could be a good starting point, but the criminal will have to allocate sufficient additional resources to obtain the missing information," Barysevich continued. And that process could be a real pain too: The fraudster would need to figure out who in the dump had a good credit history in the first place.


An identity thief could also file a target's tax return before they do it themselves, and steal the victim's refund in the process. The main bits of info a fraudster needs to access anyone's previous W-2 forms are their name, date of birth, Social Security number, and address.


Over the past few of years, the Internal Revenue Service (IRS) has been using a PIN system to protect peoples' identities, but criminals have found a way to get around that too, as independent journalist Brian Krebs pointed out as recently as March. It took the sort of information included in the health care dumps, as well as some other easy-to-find details.

According to anti-fraud company iovation, the Internal Revenue Service is now taking three times as long to review 2015 tax returns when compared to previous years. This is potentially because of new fraud filters that have been put in place.

But, just last week the IRS scraped the PIN system altogether, because of a spike in suspicious activity. In February, the agency said that cybercriminals had accessed more than 100,000 PINs.


Barysevich also said attackers could get hold of a new mobile phone in the target's name. Indeed, back in 2012 the Guardian reported on just how easy this process can be, with only basic personal details and maybe a fake ID being necessary. This way, fraudsters can get their hands on a top of the range smartphone while you are footing the bill and scrambling to preserve your credit history.

With all that being said, it's not actually clear if the hacker behind these latest breaches will sell the data on the dark web. Thedarkoverlord previously told Motherboard that the plan is to intimidate the affected organisations into paying a ransom for not disclosing the data or naming the company. The relatively high price of the dumps may be for that reason.

"750 BTC ($484,161.55) is a high price for 9.3M records. This is going to price many potential buyers out of the market. Those buyers with the ability to purchase this much data likely have the capability to collect it themselves at a lower cost," Rick Holland, vice president of strategy at cybersecurity company Digital Shadows, wrote in an email.