Data of 500,000 Children Stolen from Pediatricians, Sold on Dark Web

A hacker who operates with the online alias Skyscraper revealed that 500,000 records of patients have been stolen from various healthcare companies and are currently being sold on the dark web. According to Skyscraper, all of the stolen records and identities are that of children and they include sensitive information such as the names of the children and their parents, social security numbers, addresses, phone numbers and complete medical records.

Although the names of the targeted healthcare institutions remained undisclosed by Skyscraper and the publication he was interviewed by, Skyscraper further noted that more than 200,000 records of children were also stolen from several elementary schools and were sold on the dark web.

Hackers including Skyscraper often target patient records of children because they are one of the highly valued products on the dark web besides tax return and credit card information. As reported by DeepDotWeb this week, IBM Security executive security advisor Limor Kessem stated that tax filing information is the most premium type of record criminals can access to on the dark web.

Kessem explained:

“Tax filing information is probably the most premium type of record criminals can buy on the underground. It goes for $40 or $50, and unlike credit cards, never expires. People can try and get loans in someone’s name, make fake IDs in people’s names, get credit.”

Following tax return and refund information, ICIT Senior Fellow James Scott noted that patient records of children are of high demand on the dark web because it contains a wide range of information, similar to tax return forms. While patient records lack financial data, complete medical records of patients, particularly young patients, can be sold at a price range of $500 to $1,200 on darknet marketplaces.

Scott further emphasized that medical records of children are highly valued on the dark web because criminals can easily develop a fake identity based on the given information. More importantly, because healthcare breaches are usually not discovered, the theft of medical records can be left undisclosed to both the facility and its customers for a significant period of time.

It was also revealed that the filing of loss or breached records by healthcare institutions that specifically deal with pediatrics was inaccurate. According the Department of Health and Human Services’ Office of Civil Rights, most healthcare institutions which suffered from data breaches and exposure were unaware that their data was leaked.

In general, the healthcare industry has a serious issue with its internal infrastructure and the method it uses to secure and protect client data. On March 30, DeepDotWeb reported that 76 percent of hacked healthcare information were sold on the dark web and darknet marketplaces.

The research paper of Evolve IP read:

“Overall, 68% of all analyzed covered entities and their business associates have employees with visibly compromised accounts — 76% of which include actionable password information. Using ID Agent’s proprietary Dark Web ID analysis technology, ID Agent and Evolve IP analyzed 1,000 healthcare companies representing a variety of business types and sizes. On average, more than 68% of the firms reviewed have compromised email credentials visible and available on the Dark Web.”