Chennai, Dec 03, 2022: The personal data of 1.5 lakh patients from Tamil Nadu’s Sree Saran Medical Center was sold by hackers on popular cyber crime forums and a Telegram channel used to sell databases. The data breach was discovered by CloudSEK, a firm that predicts cyber threats.
According to CloudSEK, the sensitive data was allegedly sourced from a compromised third-party vendor, Three Cube IT Lab, and includes patient data from 2007 to 2011. However, CloudSEK said it has no information that Three Cube may be operating as a software vendor for Sree Saran Medical Center.
The hackers shared a sample as proof for potential buyers to inspect the authenticity of the data. The leaked data contains names of the patients, birth dates, addresses, guardian’s names and doctor’s details.
CloudSEK’s researchers used the names of doctors in the database to identify the healthcare firm whose data was present in the sample. They were able to identify that the doctors work at Sree Saran Medical Center in Tamil Nadu.
CloudSEK has now informed all the stakeholders about the data breach. Noel Varghese, a threat analyst at CloudSEK said, "We can term this incident as a Supply Chain Attack, since the IT Vendor of the Hospital, in this case Three Cube IT Lab, was targeted first. Using access to the vendor’s systems as an initial foothold, the threat actor was able to exfiltrate Personally identifiable information (PII) and Protected Health Information (PHI) of their hospital clients.”
This discovery of the sale of patient data comes just a day after a cyber attack on the All India Institute of Medical Sciences (AIIMS) in Delhi compromised the personal data of millions of patients.
The online hackers had advertised the patients’ data for a price of USD 100, which means that multiple copies of the database would be sold. For those seeking to be the exclusive owner of the database, the price was raised to USD 300. Further, if anyone intended to resell the database, the quoted price was USD 400.
Courtesy: India Today