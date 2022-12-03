Personal Data of 1.5 lakh Patients of Tamil Nadu Hospital Sold By Hackers For $400: Report

As per the CloudSEK, the data was allegedly sourced from a compromised third-party vendor, Three Cube IT Lab, and includes patient data from 2007 to 2011.

As per the report, the hackers shared a sample as proof for potential buyers to inspect the authenticity of the data.

Chennai: The personal data of 1.5 lakh patients of Tamil Nadu’s Sree Saran Medical Center was sold by hackers for $400. As per a news report by India Today, the data breach was discovered by CloudSEK, a firm that predicts cyber threats. As per the CloudSEK, the data was allegedly sourced from a compromised third-party vendor, Three Cube IT Lab, and includes patient data from 2007 to 2011.

CloudSEK however added that it has no information that Three Cube may be operating as a software vendor for Sree Saran Medical Center.

As per the report, the hackers shared a sample as proof for potential buyers to inspect the authenticity of the data. The breached data contains names of the patients, birth dates, addresses, guardian’s names and doctor’s details.

CloudSEK said its researchers used the names of doctors in the database to identify the healthcare firm whose data was present in the sample and then they were able to identify that the doctors work at Sree Saran Medical Center in Tamil Nadu. CloudSEK said it has now informed all the stakeholders about the data breach.

Noel Varghese, a threat analyst at CloudSEK told the news portal, “We can term this incident as a Supply Chain Attack, since the IT Vendor of the Hospital, in this case Three Cube IT Lab, was targeted first. Using access to the vendor’s systems as an initial foothold, the threat actor was able to exfiltrate Personally identifiable information (PII) and Protected Health Information (PHI) of their hospital clients.”

And not just this, the hackers also had advertised the patients’ data for a price of USD 100, which means that multiple copies of the database would be sold. For those who wanted to be exclusive owner of the database, the price was raised to USD 300. And if anyone intended to resell the database, the quoted price was USD 400.