Newly Stolen Medical Records Auctioned on Darknet Site

Relatively speaking, Lithuania amassed their fair share of data breaches within the past five years. In many cases, the hacks occurred both inside and outside the medical sector—the medical breaches, though carried less of a foreign impact than the others. However, a Lithuanian plastic surgery clinic recently landed in the spotlight for a data breach that showcased patient pictures on the darknet.

International media saw Lithuania on the news for a medical data breach not long ago. The “Tsar Team” aka “Fancy Bear“ hacked the World Anti-Doping Agency (WADA). Confidential medical data of 25 famous athletes made their rounds in the internet. Serena Williams lost her confidential information in that breach and was among the most famous of the victims. The database hack of Lithuanian web host “000webhost” likely rang more alarm bells, however. Hackers dumped 13 million passwords and HaveIbeenpwned activity spiked.

In this case, though, hackers targeted UAB Beauty Surgery (Grozio Chirurgija). The threat actors claimed, in an email to several Lithuanian news outlets, that they stole 24,000–25,000 individual medical records. Compared to many medical breaches seen in the United States, this caused, so far, less of a concern about the confidential information itself. The pictures, though, raised an alarm.

The group of six cybercriminals wrote emails to the media that outlined the situation:

“Hello, we have collected information about 25,000 people who benefited from the Beauty specialists, [some] but not all are Lithuanian celebrities. Also we have plastic surgery photos taken of changes (vagina, breast, penis, etc.). The preferred form of settlement – Bitcoin. Currently, we are analyzing the collected information. [Once complete], the list will be longer. We are a group of six people, and for this information we would like 100 thousand euros.”

When the news first broke, one of the clinic’s owners wrote, in an email response regarding the news. He saw some of the leaked data and when asked a question about the validity if it, he responded that the names were real. The photos, he said, were false. He explained that he saw for himself that the hackers simply took photographs from the internet and claimed they came from the clinic. In a later email, he told a source that the photographs—the before and after pictures—never left physical storage. The clinic only uploaded the paperwork; pictures stayed with the staff, co-owner Jonas Staikūnas said.

One news agency published the co-owner’s comments and received an email from an anonymous email address that disputed Staikūnas’s words. They vowed to send proof. They did so in the form of several photographs of well known public figures. They spoke with one of the individuals in the photographs, a musician who went through a breast augmentation operation. She admitted that the pictures came from her procedure at the clinic in question. (She explained that the surgery was not a secret. Even single glance at her pictures revealed that she made no attempt to conceal the work.)

The alleged six-count person group emailed again and alerted the news outlet of the next step: uploading the pictures to a darknet auction site they created. The group uploaded, as of the writing of this article, 62 sample listings that contained the patient’s entire file for free. Pictures, medical history, phone numbers, email addresses, etc. Everything is either highly sensitive or explicit, if not both.

The auction is an interesting choice. In addition to auctioning off each patient, they continue to blackmail the plastic surgery clinic. Furthermore​, the price for patient data keeps rising. At the writing of this article, the buyout price is 300BTC. The company has not concretely said anything about their next step. However, at this point, along with statements that call the hackers thugs, not hackers, the chances of a buyout happening look slim.