The recent US healthcare database breach...

The recent US healthcare database breaches: a look at what’s happening

Even cyber intelligence seems to be about sensationalism in the media today. Intelligence is about gathering info, processing it, and reaching conclusions. It is more than just one piece of data; information needs to be gathered and analyzed over time before accurate conclusions can be drawn. The recent (and ongoing) healthcare database breaches are a perfect example of why this is so important. Let’s take a look at what has transpired thus far.

Chain of events

News first hit media outlets on Monday, June 27, 2016. Reports announced that a US healthcare database had been breached, and half a million patient records had been stolen and posted for sale by the alleged hacker on the Dark Web. Later reports suggested that even more records had been stolen.

The plot thickens

Cymmetria’s team discovered this breach as part of our threat intelligence efforts. We realized the media’s information was incomplete and incorrect (which naturally often happens, but in this case the vendor frenzy caused a lot of follow-up intelligence reports to be faulty) when we saw the alleged hacker continuing to post on the Dark Web. There were more breached databases with more stolen records being posted for sale. Our intelligence shows that there were actually three different sales posted:

Screenshot from the Dark Web showing three breached databases for sale

 

Screenshot from the Dark Web showing three breached databases for sale

Download Our Cyber Deception Whitepaper to Learn More!

In fact, one of Cymmetria’s Dark Web analysts discovered that in addition to what had already been reported, another 9.3M healthcare records were uploaded:

Screenshot from the Dark Web showing three breached databases for sale

Screenshot from the Dark Web showing 9.3M patient records for sale

The alleged hacker has posted samples of the stolen records as proof for potential buyers:

Screenshot from the Dark Web showing three breached databases for sale

Screenshot from the Dark Web showing 9.3M patient records for sale

How does this type of breach happen?

The hacker managed to reach this much information because of lateral movement and, essentially, being able to propagate in the network and finding more machines to infect. After bypassing other security measures such as preventative controls and sandboxing, hackers reach endpoints and bypass endpoint security solutions. They can then pivot and perform lateral movement within the network, allowing them to obtain much more information. This is obviously problematic.

We can’t help but think that our cyber deception solution, MazeRunner, could have helped prevent this severe information breach…