Seen up for sale on a forum (I’m redacting the ads and samples):
Healthcare Database (48,000 Patients) from Farmington, Missouri, United States
This product is a considerably large database in plaintext from a healthcare organization in Farmington, Missouri, United States. It was retrieved from a Microsoft Access database within their internal network using readily available plaintext usernames and passwords.
Format: Record #,Pat.Act.#,Active,Last Name,First Name,MI,Suf.,Address Line 1,Address Line 2,City,State,Zip,SSN,DOB,Sex,Mar.,Stu.,Email,Home Phone,Work Phone,Cell Phone
Sample: 34441,344416,TRUE,Andrews,Amy,,,[redacted],Fredericktown,MO,63645,[redacted],[redacted],F,D,N,,[redacted] ,( ) – ,( ) –
Statistics:
Total Records Count: 47,864
DOB 1890-1934: 5,650
DOB 1935-1989: 38,136
DOB 1990-1997: 2,783
DOB 1998-2015: 1,295
Database (210,000 Patients) from Central/Midwest United States
This product is a very large database in plaintext from a healthcare organization in the Central/Midwest United States. It was retrieved from a severely misconfigured network using readily available plaintext usernames and passwords.
Format: SSN,FIRST NAME,MI,LAST NAME,SEX,DOB,ADDRESS
Sample: [redacted] ,MARLO,O,RIVERA,M,[redacted],[redacted],OKLAHOMA CITY OK 73170
Statistics:
Total Records Count: 207,572
DOB 1890-1934: 39,412
DOB 1935-1989: 135,387
DOB 1990-1997: 18,396
DOB 1998-2015: 14,377
Healthcare Database (397,000 Patients) from Atlanta, Georgia, United States
This ad was mistakenly including the data from the previous ad, but I suspect/fear that it will be corrected. (Updated: here’s the correct info from their ad, redacted by me):
This product is a very large database in plaintext from a healthcare organization in the state of Georgia. It was retrieved from an accessible internal network using readily available plaintext usernames and passwords.
Raw Format: “/Today”,”/TodayLong”,”/PrimaryHealthInsCo”,”/PrimaryHealthInsType”,”/SecondaryHealthInsCo”,”/SecondaryHealthInsType”,”/Address1″,”/Address2″,”/Age”,”/AnAge”,”/AgeSingular”,”/DOB”,”/CellPhone”,”/City”,”/Email”,”/Fax”,”FName”,”FNameCaps”,”LName”,”/MI”,”LNameCaps”,”/NamePrefix”,”/NameSuffix”,”/Note”,”/personid”,”/Phone”,”/PhoneExtension”,”/WorkPhone”,”/WorkPhoneExtension”,”/Race”,”/Sex”,”man/woman”,”male/female”,”male/femaleFirstCap”,”he/she”,”he/sheFirstCap”,”him/her”,”his/her”,”his/herFirstCap”,”boy/girl”,”son/daughter”,”grandson/granddaughter”,”/SharedID”,”/SSNO”,”/State”,”/JobTitle”,”/Zip”,”/UDF1″,”/UDF2″,”/UDF3″,”/UDF4″,”/UDF5″,”/UDF6″,”/UDF7″,”/UDF8″,”/UDF9″,”/UDF10″,”/PriDrPersonID”,”/PriUDF1″,”/PriUDF2″,”/PriUDF3″,”/PriUDF4″,”/PriUDF5″,”/PriUDF6″,”/PriUDF7″,”/PriUDF8″,”/PriUDF9″,”/PriUDF10″,”/PriDrAlias”,”/PriDrFirst”,”/PriDrLast”,”/PriDrNamePrefix”,”/PriDrNameSuffix”,”/PriNote”,”/PriDrAddr1″,”/PriDrAddr2″,”/PriDrPhoneExtension”,”/PriDrEmail”,”/PriDrCellPhone”,”/PriDrFax”,”/PriDrPhone”,”/PriDrZip”,”/PriDrState”,”/PriDrCity”,”/PriNPI”,”/RefPersonID”,”/RefDrAddr1″,”/RefDrAddr2″,”/RefDrCity”,”/RefDrFirst”,”/RefDrLast”,”/RefDrNamePrefix”,”/RefDrNameSuffix”,”/RefNote”,”/RefDrPhone”,”/RefDrPhoneExtension”,”/RefDrEmail”,”/RefDrCellPhone”,”/RefDrFax”,”/RefDrState”,”/RefDrZip”,”/RefUDF1″,”/RefUDF2″,”/RefUDF3″,”/RefUDF4″,”/RefUDF5″,”/RefUDF6″,”/RefUDF7″,”/RefUDF8″,”/RefUDF9″,”/RefUDF10″,”/RefNPI”,”/PRIMINSPOLICYID”,”/PRIMINSGROUPID”,”/SECONDARYINSPOLICYID”,”/SECONDARYINSGROUPID” Refined Format: /PrimaryHealthInsType,/PrimaryHealthInsCo,/PRIMINSPOLICYID,/PRIMINSGROUPID,/SecondaryHealthInsType,/SecondaryHealthInsCo,/SECONDARYINSPOLICYID,/SECONDARYINSGROUPID,/Address1,/Address2,/Age,/DOB,/CellPhone,/City,/Email,FNameCaps,/MI,LNameCaps,/NamePrefix,/Phone,/WorkPhone,/Sex,/SSNO,/State,/Zip
Refined Sample:
PRIMARY,Cigna Healthcare,U04197556,2461898,SECONDARY,UGA Athletic Dept.,[redacted],[redacted] ,,27y,[redacted],,Atlanta,,[redacted],,[redacted],,F,[redacted],GA,30327
Statistics:
Total Records Count: 396,458
The most common Healthcare Insurance is ‘Blue Cross Blue Shield’ The second most common Healthcare Insurance is ‘United Healthcare’ The plaintext database file is over 200MB in size Ownership of this database will be exclusive and only a single copy will be sold. This has not been leaked anywhere and it has not yet been abused. If you are interested in purchasing this database and would like to make an offer other than what is listed, send a PM. Only serious offers will be entertained.
If anyone knows whose databases these are, you might want to give them a call to give them a heads-up. Or send me an email if you recognize the entity and the table headings. I tried working from the samples, but the first one’s home phone number, not shown in the sample, is no longer in service. And the individual in the second sample appears to be currently incarcerated, so I’m unlikely to reach him.
UPDATE: the seller, TheDarkOverlord, gave DeepDotWeb screenshots from the databases, and it appears that at least one of the hacked entities is using SRS EHR v.9 patient management software.
The seller also added a note to the hacked entities:
Next time an adversary comes to you and offers you an opportunity to cover this up and make it go away for a small fee to prevent the leak, take the offer. There is a lot more to come.
UPDATE: I subsequently had a private chat with The DarkOverlord about these hacks. You can read some of what he told me in my report today on The Daily Dot.