Hacker puts more than 9M health care records up for sale on the dark web

More than 9 million U.S. patient health care records were put up for sale on the dark web — a portion of the internet hidden by anonymity tools — in just the last three days, according to Denver-based firm OWL Cybersecurity.

More than 9 million U.S. patient health care records were put up for sale on the dark web — a portion of the internet hidden by anonymity tools — in just the last three days, according to Denver-based firm OWL Cybersecurity.

OWL Cybersecurity — a firm that has developed software to scan the dark web for leaked or otherwise compromised sensitive data — began investigating the incident on Monday after the files appeared on dark web marketplace TheRealDeal, where they are being sold by someone using the screen name “TheDarkOverlord.”

“Because this situation is still unfolding, there are a number of variables at play and we are currently unable to identify the source of these files,” Mark Turnage, president and CEO of OWL Cybersecurity, said in a statement. “Our analysts are continuing to investigate. However, this underscores that a critical but often overlooked element to an effective cybersecurity program is monitoring data on the darknet, as in many cases it’s posted before a breach is even detected by the owner of the data.”

In an email to FedScoop, Turnage noted TheDarkOverlord ‘is being very careful in operations and communications’ and added there wasn’t enough evidence to determine whether the data was obtained using ransomware.


The largest file package, discovered Tuesday by OWL Cybersecurity, for sale by TheDarkOverlord holds a 9.3 million-record database that was stolen using a zero-day exploit — otherwise known as an undisclosed software vulnerability — in Microsoft’s Remote Desktop Protocol, according to the Denver firm. Another data mining company reportedly came to a similar conclusion. Microsoft declined to comment on whether the alleged zero-day exploit was used to compromise their system.

Other batches for sale by TheDarkOverlord on TheRealDeal appear to be packaged by region of origin: 48,000 patient records from Farmington, Missouri; 397,000 patient records from Atlanta; and more broadly, 210,000 patient records from the “Central/Midwest U.S.”

The prices for each health care record package range from $38,000 to nearly $500,000 for the largest database. These patient records contain people’s full names, addresses, Social Security numbers, gender, medical conditions, emails, phone numbers and dates of birth.

Generally speaking, stolen patient records can be used by scammers for fraud, blackmail and targeted email phishing schemes, Forcepoint Director of Security Technology Bob Hansmann told FedScoop.

‘Few digital records are as rich as those in health care,’ he said. ‘And pretty much everyone goes to health care providers at one time or another.’


The owners of these patient records are not listed on TheRealDeal, and OWL Cybersecurity declined to name parties they suspect to be victims. A company representative said they were in contact with one health care organization based in Atlanta on Tuesday, to notify them of the leak.

According to the Department of Health and Human Services, more than 100 million health care records were exposed in 2015 alone —including a BlueCross BlueShield data breach that exposed the confidential information of roughly 10 million customers.

DeepDotWeb, a news website covering activity on the dark web, was reportedly able to secure an interview with TheDarkOverlord, who said, “There is a lot more to come.” The hacker also gave the publication several redacted images — keeping the target companies confidential — and said that he “used an exploit in how companies use RDP. So it is a very particular bug. The conditions have to be very precise for it.”

RDP is a term used by network administrators that references a secure remote desktop, which typically operates over an encrypted channel.

In his email to FedScoop, OWL Cybersecurity’s Turnage underscored that, while his firm has not yet identified TheDarkOverlord, it was not impossible to determine a dark web user’s identity.


“The dark web, by its very nature, is designed for anonymity. It is intentionally hidden and inaccessible with standard web browsers making it very difficult, if not impossible, to determine the identity of any given user,’ he wrote.

‘If someone does not take all precautions while browsing the dark web, it can be possible to connect some or all of the dots.’

Chris Bing

Written by Chris Bing

Christopher J. Bing is a cybersecurity reporter for CyberScoop. He has written about security, technology and policy for the American City Business Journals, DC Inno, International Policy Digest and The Daily Caller. Chris became interested in journalism as a result of growing up in Venezuela and watching the country shift from a democracy to a dictatorship between 1991 and 2009. Chris is an alumnus of St. Marys College of Maryland, a small liberal arts school based in Southern Maryland. He's a fan of Premier League football, authentic Laotian food and his dog, Sam.

Latest Podcasts