Another Victim of Harak1r1 the 0.2 Bitcoin Ransomware
As you may know, medical records are protected in the US under Federal and State law. Hospitals, Doctors and Insurers can face big fines and penalties when medical records are leaked online. On Dec 30th, 2016 the MacKeeper Security Research Center discovered a misconfigured Mongo database that contained hundreds of thousands of what appeared to be patient records and other sensitive information.
The IP was hosted on Google Cloud and results for domain names hosted on that address (Reverse IP) identified Emory Brain Health Center. On Jan 3rd 2017 when the research team went back to review the data it was identified that the database had been a victim of the Harak1r1 the 0.2 Bitcoin Ransomware.
This non traditional ransom method actually takes and removes the victims’ data and holds it until the ransom is paid. The data is wiped out completely from the database and is not simply encrypted like most common types of ransomware attacks. See details here: https://www.bleepingcomputer.com/news/security/mongodb-databases-held-for-ransom-by-mysterious-attacker/
In the original scan of the database by the MacKeeper Security Research Center the estimated number of records exposed appeared to be more than 200 thousand! They were broke down in the following file names and records:
- 'Clinicworkflow' contained 6,772 records (medical record number, address, birth date, name, last name)
- 'Orthopaedics' contained 31,482 records (first name, last name, medical record number, address, email)
- 'Orthopaedics2' contained 157,705 records (cellphone, first name, last name, address, email)
- 'Orthoworkflow' contained 168,354 records (cellphone, first name, last name, birth date, address, email)
The following message was found in the database:
"mail" : "firstname.lastname@example.org",
"note" : "SEND 0.2 BTC TO THIS ADDRESS 13zaxGVjj9MNc2jyvDRhLyYpkCh323MsMq AND CONTACT THIS EMAIL WITH YOUR IP OF YOUR SERVER TO RECOVER YOUR DATABASE !"
Text example of records and data collected that has now been extracted by the Harak1r1 the 0.2 Bitcoin Ransomware. This example was taken before the data was removed.
The big question: If the database discovered by the MacKeeper Security Research Center did in fact belong to Emory Healthcare. Have they taken the proper steps to inform their customers and the authorities regarding this data theft and breach?
In cooperation with Dissent from databreaches.net we have reached out to to multiple contacts in an attempt to identify the connection to Emory Healthcare or get a comment regarding how they plan to recover their data or notify patients.
We will continue to post updates and more can be seen here: https://www.databreaches.net/emory-healthcare-patient-data-hijacked-and-held-for-ransom/
For more information or media requests please contact email@example.com