Stolen Data from the suspected ransomware attack on Prospect Medical Holdings in August recently appeared for sale on the dark web. The sensitive personally identifiable information (PII) includes more than 500,000 social security numbers, patient and employee passports, driver’s licenses, medical patient files including protected health information (PHI), financial documents, and legal documents, according to a screenshot posted to Twitter (X) by the user, @CyberSleuth1.
The dark web listing for the data claims that the sale includes 1 terabyte (TB) of files, as well as a 1.3 TB SQL database. However, it is difficult to verify the veracity of this claim without obtaining the stolen data.
Cybersecurity experts say the breach had the hallmarks of a ransomware attack; however, officials refuse to confirm that this is the case. The attack initially forced the hospital group to suspend operations of emergency departments and ambulance services, as well revert internal documentation processes to paper.
Experts believe that the ransomware gang, Rhysida, who is suspected of being behind the attack, is attempting to pressure Prospect Medical into paying the demanded ransom to avoid an expensive public relations fiasco by posting the stolen information for sale on the dark web.
The operator of hospitals in multiple states continues to struggle to restore availability of several of its systems for nearly a month. As of August 18, 2023, many services were still offline, resulting in the continued postponement of some elective surgeries, outpatient services, and more, according to the Associated Press.
In a statement provided to Axios, a company spokesperson said, “Prospect Medical continues to work around-the-clock to recover critical systems and restore their integrity. We are making significant progress. Some operational systems have been fully restored and we are in the process of bringing others online.”
Ransomware groups often target hospitals and healthcare companies because their systems are known to hold troves of sensitive PII & PHI. The healthcare industry is also known for using outdated systems and technology with minimal cybersecurity protections.
Rhysida’s dark web sale price for the stolen data and documents is 50 Bitcoin (BTC) or roughly $1.3 million at the time of publishing.
The Federal Bureau of Investigation (FBI) advises victims of ransomware attacks not to pay ransoms, as there is no guarantee that the stolen data will not be sold later on the dark web. Additionally, payment encourages future attacks and finances operations of ransomware groups.