Former employee of Bupa, the multi-billion dollar healthcare giant with over 84,000 employees, was fired from the company after selling between 500,000 and 1 million medical records on the dark web.
Earlier this month, analysts and consultancy firms including DataBreaches discovered that the former employee whose identity remains undisclosed had sold several batches of hundreds of thousands of medical records secured by Bupa.
According to DataBreaches, the first batch of medical records stolen by the former Bupa employee was first introduced to a dark web marketplace on June 23. Although Bupa’s Managing Director Sheldon Kenton claimed that only 103,000 medical records of Bupa clients were sold on the dark web, reports from DataBreaches revealed that at least 500,000 medical records were sold on the dark web, by the vendor MoZeal.
Almost immediately after the breach and sale of medical records was disclosed to the company, Bupa terminated its contract with the former employee and is currently pursuing legal actions against the employee and the identity behind MoZeal.
Previously, Deepdotweb reported records that include a variety of personal information such as financial and biological data are of substantial value to buyers and hackers on the dark web. Prominent security researcher Brian Krebs explained that tax forms are the most sought out items on the dark web and medical records are a close second.
“Tax filing information is probably the most premium type of record criminals can buy on the underground. It goes for $40 or $50, and unlike credit cards, never expires. People can try and get loans in someone’s name, make fake IDs in people’s names, get credit,” said Krebs.
Since mid-2016, cybersecurity and information technology companies including IBM have revealed that medical records have become a hot commodity on dark web marketplaces. In fact, one of IBM’s own researchers John Kuhn, a senior threat researcher at IBM, was falsely charged for tens of thousands of dollars after his healthcare company was hacked by an anonymous group of hackers.
More to that, analysts at non-profit organizations including the Institute for Critical Infrastructure Technology revealed that 47 percent of US-based residents have had their medical records stolen, hacked and sold on the dark web in 2015.
In an interview, IBM’s Kuhn noted that each medical record on dark web are sold for around $60 on the dark web, mostly because criminals can utilize that information as a leverage to commit additional criminal activities. If criminals can obtain health care records of high-ranking government officers or valuable public figures, stolen healthcare records can be used to directly blackmail victims.
Adam Levin, chairman and founder of IDT911, an identity protection company, explained that hospitals and healthcare companies will need to tighten security measures of their systems in order to prevent security breaches.
More importantly, access to healthcare records should be restricted even for employees to ensure that the centralized systems of healthcare service providers remain secure.
“Ultimately though, hospitals need to do a better job with security. This is a real crisis in America, and medical identity theft is a potentially life-threatening crime, not to mention the inherent value of medical files,” Levin said.