A Hospital's Patient Records Appeared on a Dark Web Forum

Background

A regional hospital system's patient records appeared for sale on a dark web marketplace. The listing claimed to contain 340,000 patient records including names, SSNs, medical histories, and insurance information.

Investigation Methodology

1. Listing Verification: We obtained a sample from the dark web listing to verify whether the records were genuine and from the claimed source.
2. Breach Scope Analysis: Using the sample data, we determined the approximate date range of the records and the systems likely compromised.
3. Threat Actor Profiling: The seller's dark web profile, previous listings, and reputation were analyzed to assess credibility and intent.

Key Findings

• The sample records were confirmed genuine — they matched formatting patterns unique to the hospital system's electronic health records platform.
• The data appeared to span a 2-year window, suggesting a persistent access breach rather than a one-time exfiltration.
• The seller was a known broker who typically auctioned medical records to identity theft rings.

Outcome

The hospital's CISO was briefed within 8 hours. The information supported the mandatory HIPAA breach notification process, including scope determination and affected individual identification. Law enforcement engaged the dark web marketplace for listing removal. Total investigation time: 72 hours.