Hackers post detailed patient medical records from two hospitals to the dark web

Kevin Collier
·4 min read

Hackers have published extensive patient information from two U.S. hospital chains in an apparent attempt to extort them for money.

The files, which number in at least the tens of thousands and were posted to a blog on the dark web that the hackers use to name and extort their victims, includes patients’ personal identifying information, like their names, addresses and birthdays, as well as their medical diagnoses. They come from the Leon Medical Centers, which serves eight locations in Miami, and Nocona General Hospital, which has three locations in Texas.

The files also include at least tens of thousands of scanned diagnostic results and letters to insurers. One folder contains background checks on hospital employees. An Excel document titled 2018_colonoscopies has 102 full names, dates and details of the procedures, and a field to mark “yes” or “no” to whether the patient has a “normal colon.”

The hacker group that posted the files is well known to cybersecurity researchers. They typically first encrypt their victims’ files and demand payment, and it’s rare for them to publicly release such files first. But at least with Nocona, that appears to be what happened. The motive for the release of the files is unclear.

The leak highlights how hackers have in recent years steadily targeted American hospitals, small businesses, schools and government computers, often infecting them with ransomware,which is malicious software that locks up computers, rendering them inoperable. Hackers then demand payment, usually in bitcoin, to unlock the files.

Redacted image leaked from Leon Medical Centers.
Redacted image leaked from Leon Medical Centers.

At least 560 health care providers were hit with ransomware in 2020, according to a survey by the cybersecurity firm Emsisoft. In October, several federal agencies issued warnings about "an increased and cybercrime imminent threat" directed at hospitals.

Some ransomware gangs have declared hospitals off limits, but others have found them particularly ripe targets. The fallout when doctors and nurses suddenly can't access their computers can be severe. And since many hospital chains share the same computer networks across dozens or hundreds of physical locations, a single ransomware infection can delay medical procedures across the country.

Some ransomware gangs have increasingly turned to leaking their victims’ personal files online if they refuse to pay, but dumping such vast troves of personal medical information is a line that not many have crossed, Brett Callow, a ransomware analyst at Emsisoft, said.

“When financial stuff leaks, people can at least fix their credit,” Callow said in a text message. “Not so with health stuff. Once it's out there, it's out there.”

In January, Leon Medical Centers announced that it had been hacked in November, and that it had soon determined that “certain files stored within Leon Medical’s environment that contain personal information had been accessed by the cybercriminals.”

A redacted image leaked from Nocona General Hospital.
A redacted image leaked from Nocona General Hospital.

That includes “name, contact information, Social Security number, financial information, date of birth, family information, medical record number, Medicaid number, prescription information, medical and/or clinical information including diagnosis and treatment history, and health insurance information,” the announcement said.

As first reported by DataBreaches.net, a website that tracks exposures of medical data, Leon has notified the U.S. Department of Health and Human Services of a data breach, but only estimated 500 patients were affected.

In an emailed statement, Yolanda Foster, a spokesperson for Leon, wrote: “We are working diligently with third-party forensic experts to complete an investigation into the matter. As soon as possible, we will provide direct notifications to any affected individuals.”

One lingering question is why the hackers, who did not respond to requests for comment sent to an email address or through their website, leaked the information. Many hacker groups, including the one that posted the two hospitals' patient information, only leak sensitive files as retribution when their victims don't pay for ransomware.

Foster declined to address specifics about whether Leon had been hit with ransomware. Nocona didn't appear to have been a victim of ransomware, and no systems there appear to have been encrypted, Brian Jackson, an attorney representing the firm, said.

"I can't tell you with absolute certainty that they did not send a ransom demand," he said in a phone call. "I can tell you we did not open one."