DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Medical records ransom: when a "trend" is not a trend

Posted on September 25, 2012 by Dissent

I’ve been meaning to comment on media coverage of  the breach involving The Surgeons of Lake County. While I’m glad my blog entry was able to bring it to the mainstream media’s attention,  I was concerned to see some sites and professionals I respect treat it as either a novel crime or as part of a growing trend. Extortion demands are not novel to anyone who’s followed data breaches over the years, and less than half a dozen reported cases spread over 9 years do not constitute a trend for the healthcare sector.

Here’s a chronological listing I’ve compiled of some publicly disclosed healthcare-related breaches involving extortion or ransom demands:

2003:

  • A Pakistani clerical worker to whom University of California, San Francisco Medical Center patient records had been outsourced for transcription threatened to upload confidential medical files to the internet unless she received money.
  • Two employees of an outsource transcription service in Bangalore demanded unreported concessions or they would upload confidential files from Heartland Information Services in Ohio.

2006:

  • A burglary at Medical Excess LLC, a unit of AIG, resulted in the theft of 970,000 patients’ information from the medical underwriter’s office.  The company subsequently received an extortion demand to pay $208,000 or the data would be released on the Internet. In 2008, the FBI arrested Kevin Michael Stewart.  At the time of the burglary, Stewart was an employee of Eagle Trident Security, the firm that provided building security for Medical Excess.

Note that these first three incidents all involved employees of contractors or subcontractors and not external hacks or ransomware.

2008:

  • Express Scripts  notified approximately 75 people after it received an extortion demand from someone who had provided them with 75 patients’ records as proof.  Refusing to pay, the firm went public with the situation. In September 2009, after the FBI informed them that there was proof that over 700,000 patients’ records had been acquired, they notified the additional individuals. There was no further update from Express Scripts after that time.

An article in November 2008  was headlined, “Is Medical Record Blackmail a Trend to Come?” To this day, there has been no arrest in this case and Express Scripts will not say whether insiders have been ruled out as a source of the breach. 

2009:

  • The Virginia Prescription Monitoring Program received an extortion demand for $10 million. The individual claimed to have hacked the database and acquired 8,257,378 patient records and a total of 35,548,087 prescriptions. The hacker also claimed to have created an encrypted backup and to have deleted their files. The ransom would presumably buy them the password to get back into their files. If they didn’t pay the ransom, the hacker indicated the records would be put up for sale on the open market.  There was never any indication that happened after the state said it would not pay the ransom. This breach is remarkably like The Surgeons of Lake County incident. An article in June 2009 was headlined,  “Ransoming data: The new weapon of choice for cyber criminals?”
  • The Texas Tribune reported that the state and FBI were investigating whether or not the Texas Cancer Registry had been hacked and if a ransom demand they received was a hoax or real.  No further statement was ever made to the public or media and the registry did not respond to an e-mail inquiry from this site requesting a follow-up. 

2011:

  • Xavier University received an extortion demand for $20,000 after the extortionist found documents containing detailed medical records of some of the college’s athletes. Thanks to the stupidity of the extortionist, he was caught relatively easily. I include this case because although it involves paper records, it was an extortion demand.
2012:
  • The Surgeons of Lake County in Illinois notified patients of an extortion demand after a hacker encrypted their server and demanded payment to unlock it.

Obviously, I may have missed some relevant incidents that had been reported in the media and there are probably many more that we never hear about – especially if the organizations paid the ransom. But seriously, do the publicly reported incidents support any claim about a “growing trend” or a “novel new approach?”

Put simply, I don’t think they do.

Could this type of situation become a trend? Yes, but there’s simply no compelling evidence that there is a trend at this time.

And while the ransom attempt attracted mainstream coverage as it makes for sexy news reporting,  another larger breach I noted in the same blog entry did not generate as much public notice even though it actually affected patients.  The breaches recently reported by Memorial Healthcare System and Florida Hospital both demonstrate that despite HIPAA and HITECH, the healthcare sector still has not adopted adequate security measures to prevent or promptly detect insider breaches.  And that’s where I think we should be focusing our discussion and efforts: reducing the insider threat while hardening our firewalls and protection from external threats.

 

Category: Uncategorized

Post navigation

← IEEE leaks 100,000 members’ usernames and plain-text passwords (update3)
Personal information stolen from 2 nonprofits →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon
  • US govt login portal could be one cyberattack away from collapse, say auditors
  • Two Men Sentenced to Prison for Aggravated Identity Theft and Computer Hacking Crimes
  • 100,000 UK taxpayer accounts hit in £47m phishing attack on HMRC
  • CISA Alert: Updated Guidance on Play Ransomware

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant
  • US State Dept. says silence or anonymity on social media is suspicious

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.