Major U.S. Healthcare Breach: Data of 2.1 Million Zealthy Patients Advertised for Sale

A cybercriminal using the alias “stuckin2019” is advertising the sale of a database impacting over 2.1 million patients in the United States, marking one of the most significant potential healthcare data breaches in recent months. The individual or group behind the breach claims it stole not only patient data but also private employee information and internal company documents.

They posted an ad on one of the largest dark web marketplaces and included data samples as evidence of the breach. The types of information listed are a worst-case scenario for patient privacy and corporate security.

According to the listing, the stolen data includes highly sensitive details such as patients’ full names, email addresses, phone numbers, and physical addresses. More alarmingly, it also reportedly contains driver’s license information, specific patient healthcare records, employee personal information, and internal company documents.

Why Healthcare Data is a “Crown Jewel” for Hackers

A breach of this nature is far more severe than a standard leak of email addresses. Healthcare records are considered the “crown jewel” of personal data on the criminal underground. This is due to their comprehensiveness and permanence. Unlike a credit card number that banks can cancel and replace, your medical history, date of birth, and government ID details cannot be changed.

This specific combination of data enables several layers of lucrative criminal activity:

Medical Identity Theft

As a result of medical identity theft, an unscrupulous thief may be able to take advantage of an individual’s stolen identity to obtain prescription medication, submit a false insurance claim, or even receive medical treatment under that person’s name, and as a result create inaccurate medical records and huge debt for the true owner of the name.

Targeted Phishing and Extortion

With knowledge that victims are patients of a specific telehealth service, criminals can craft hyper-personalized phishing emails or calls pretending to be from Zealthy, a doctor’s office, or an insurance provider. The inclusion of internal documents could be used for corporate extortion, threatening to leak proprietary information unless a ransom is paid.

Synthetic Identity Fraud

Driver’s license data, combined with other personal information, is a key ingredient for creating new, synthetic identities used to open bank accounts and secure loans, creating long-term financial havoc.

The Murky Path of a Healthcare Data Breach

The post from “stuckin2019” is a common illustration of the growing trend of cybercrimes in the healthcare sector. There are many methods of obtaining initial access to a company’s network that allow criminals to hack into a network.

An example would be using a phishing email to lure a user into clicking a link that installs malware on their computer, or taking advantage of an unpatched vulnerability within a software program, or by using stolen login credentials.

After they have gained access, the attackers will spend a considerable amount of time “dwelling” within the company’s network while trying to locate and extract the information that they feel will provide them the greatest return on investment.

Cybercriminals typically sell stolen data on invitation-only dark web forums or marketplaces after exfiltrating it from the asset owner. The original hacker’s goal is to monetize the breach quickly, while the downstream buyers will weaponize the information for various scams over months or even years.

There is yet no public comment from Zealthy concerning a breach of its data, but that could change once the company has conducted an internal forensic audit of the data related to the possible breach and issued its findings. The audit may take days or even weeks to complete before the firm makes any public announcement.

If the audit confirms the incident, the firm must report it to federal regulators, including the HHS (U.S.). Department of Health & Human Services) Office for Civil Rights, which oversees enforcement of HIPAA (Health Insurance Portability and Accountability Act). Organizations that fail to comply with HIPAA may face substantial fines for violating the law.

A Historic Trend of Past US Healthcare Data Breaches

Besides Zealthy’s alleged data breach, the US healthcare industry has recorded significant data breaches in the past that compromised sensitive information of affected patients.

In 2023, cybercriminals attacked HCA Healthcare, affecting nearly 11 million records. The breach was through a data theft from an external storage location, and exposed patients’ names, emails, and other service details.

Eye Care Leaders (ECL) witnessed a breach of their system, which compromised approximately 3.4 million records due to a ransomware attack targeting their main electronic health record (EHR) system.

In 2022, Cybercriminals launched a supply chain attack on OneTouchPoint to exfiltrate 4.1 million records. The move was a mailing vendor breach that exposed patients’ data from multiple health plans. Shields Health Care Group in 2021 suffered an unauthorised intrusion into its database that compromised approximately 2,300,000 records.

The breaches at Forefront Dermatology and 20/20 Eye Care Network in 2021 each involved ransomware attacks on the organizations’ own databases and a total of about 2.4 million records compromised (Forefront) and 3.3 million records compromised (20/20 Eye), respectively.

Anthem (now called Elevance Health) was also the victim of a sophisticated hack. Reports describe the organization’s data breach as one of the largest healthcare breaches at the time, compromising approximately 78.8 million records and resulting in a settlement of about $115 million.

The advertisement about Zealthy provides evidence that very sensitive, personal information is a desirable commodity for cybercriminals, and the healthcare sector is constantly under threat from advanced cybercriminals.