Hackers Use Fake Emergency Data Requests to Get Customer Info

hackers

Hackers are using email accounts and websites associated with police departments and other government agencies to send unauthorized demands for healthcare patient data, saying the information can’t wait for a court order, according to a Krebs on Security report Tuesday (March 29).

In the U.S., federal, state or local law enforcement agencies that want to obtain information about who owns an account at a social media firm or what internet addresses a specific cell phone account has used in the past must submit an official court-ordered warrant or subpoena, the report says.

In cases involving imminent harm or death, an investigating authority may make what’s known as an Emergency Data Request (EDR), which bypasses the official review process and doesn’t require the requestor to supply any court-approved documents, according to the report.

“It is now clear that some hackers have figured out there is no quick and easy way for a company that receives one of these EDRs to know whether it is legitimate,” the report says. Hackers send fake EDRs and an attestation that people will suffer or die unless the requested data is provided immediately.

“In this scenario, the receiving company finds itself caught between two unsavory outcomes: Failing to immediately comply with an EDR — and potentially having someone’s blood on their hands — or possibly leaking a customer record to the wrong person,” according to the report.

“We have a legal process to compel production of documents, and we have a streamlined legal process for police to get information from ISPs and other providers,” said Mark Rasch, a former prosecutor with the U.S. Department of Justice. “And then we have this emergency process, almost like you see on [the television series] Law & Order, where they say they need certain information immediately.”

Related: Healthcare Hacks Fell for Third Straight Month, US Health Department Reports

On the bright side of healthcare cybersecurity news, the U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), said earlier this month that February 2022 saw a new low in hospital and health system data breaches, coming off a year considered the worst in history for healthcare-related hacks.