Healthcare Data Breaches: Patient PII Theft Isn’t the Only Goal

As if healthcare workers haven’t had enough to manage during the pandemic, new IntSights research has found multiple instances of theft involving their personally identifiable information (PII).

Security researchers and healthcare security professionals have tended to focus on patients as the primary targets of PII theft in the healthcare industry. Coverage of underground criminal forums indicates that this focus on patient data is well-founded, but doctors, healthcare workers, and other employees of healthcare organizations can become targets of PII theft as well. Just as in many other industries, both customers and employees can become victims of PII theft in the event of an enterprise-wide breach.

For example, in February 2021, underground criminal forum username “cesarbsfilho” (whose name suggests Brazilian or Portuguese origins, despite his use of an English-speaking forum) offered to sell access to a Mongo database from a Brazilian hospital. The database included records for 198,926 patients and 4,646 employees. The employee records included their names, dates of birth, Brazilian taxpayer numbers, Brazilian identity document numbers, and job descriptions (see below).

IntSights Healthcare & Pharmaceutical Industry Cyber Threat Landscape Report - Figure 27


In April 2021, the South American criminal group KelvinSecTeam offered to sell for $500 USD a database of approximately 200,000 US doctors. The fields for this database included names, street addresses, email addresses, phone numbers, specialties, and medical license numbers. In May 2021, the same group later offered to sell a Portuguese medical database with approximately 94,000 records. The fields in this database for specialties and license numbers suggest that it was also a database of physicians or other healthcare workers (see below).

IntSights Healthcare & Pharmaceutical Industry Cyber Threat Landscape Report - Figure 29


In November 2020, criminal forum username “husseinb” shared a purportedly compromised database of 247,000 users of PlexusMD, a professional social network for doctors and other healthcare professionals in India. The purported database included names, dates of birth, street addresses, usernames, email addresses, passwords, phone numbers, and photos for users (see below).

IntSights Healthcare & Pharmaceutical Industry Cyber Threat Landscape Report - Figure 30


Even datasets like employee directories can be useful to attackers for reconnaissance purposes and in the planning and execution of social engineering or phishing attacks, both inside and outside this industry, in order to gain further access. For example, in April 2021, underground criminal forum username “ForumRAID” offered to sell the employee directory of a Chinese pharmaceutical company. The database fields for the approximately 7,000 employees included names, phone numbers, fax numbers, and email addresses (see below).

IntSights Healthcare & Pharmaceutical Industry Cyber Threat Landscape Report - Figure 31

Addressing PII Theft in Healthcare

Healthcare organizations must understand their threat landscape and its distinctive vulnerabilities. This will allow leadership to improve organizational defenses against the most pressing threats.

Read our 2021 Healthcare and Pharmaceutical Industry Cyber Threat Landscape Report for a comprehensive look at the industry’s threats as well as detailed recommendations for building a strong defense.


Stay up to Date!

Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.