In the landscape of cyber threats targeting Italy, a particularly sensitive new incident has emerged: the sale, on a well-known Russian underground forum, of a vast archive containing healthcare data of citizens from Northern Italy. The listing was posted by a user with the nickname “wizgun,” already active in contexts linked to international cybercrime.
The seller claims to possess a database containing PDF medical prescriptions, exemption certificates, sick leave permits, and detailed personal information, with documents dating back at least to 2020. The ad describes a large, structured data package, potentially traceable to systems used by general practitioners in northern regions.
What the database contains
According to information posted on the forum, the dataset would include:
- Over 350,000 records with full personal data (first and last name, home address, insurance number).
- Approximately 390,000 PDF medical prescriptions.
- 90,000 identified patients, including:
- 30,000 with an associated email address
- 4,300 with a phone number (landline or mobile).
The listing also shows some examples of complete records, including extremely sensitive information such as drug prescriptions, specialist visits, addresses, contact details, and personal codes linked to healthcare services.
Sales method and prices
The seller offers a modular sale, either per single profile or the entire archive, with the option to use an escrow service. Contacts are handled via private messaging and via Session, a platform preferred for anonymous communications.
The listed prices are:
- 25 euros per single profile with prescriptions.
- 35 euros per complete profile including personal data, contacts, prescriptions, and documents related to sick leave.
- 1.84 BTC for the entire database, at Bitcoin’s value at the time of posting.
Possible origin of the data leak
The seller refers to two news articles documenting a cyberattack on the healthcare platform used by general practitioners in Lombardy. The contents described in the articles and those reported in the listing show several matches, both in the types of documents stolen and in the timeline:
- MilanoToday: Cyber attack on the GPs’ portal.
- Corriere della Sera: Cyber breach on the healthcare platform for prescriptions.
It is plausible that the database for sale stems from the compromise described by these outlets, although there is still no official confirmation from the authorities.
Why this incident is particularly critical
A healthcare data leak of this magnitude is one of the worst possible scenarios in terms of impact on people’s privacy and safety. Medical data, in fact, are immutable and difficult to contain once published in criminal environments.
An archive like the one described can be exploited for:
- targeted extortion
- insurance scams and fraud
- highly credible phishing
- identity theft
- illegal profiling for commercial or discriminatory purposes.
The combination of healthcare data, emails, phone numbers, and addresses makes this dataset particularly attractive to malicious actors.
Conclusions
The appearance of this database on a Russian forum once again confirms the growing interest of international cybercrime in Italian healthcare infrastructures. The sale of hundreds of thousands of prescriptions and personal data once more highlights the structural limits of regional digital systems and the urgent need to strengthen security measures.
It will be essential to monitor the spread of the material, assess the authenticity of the data, and verify whether the leak is connected to the attack reported in the media. In the meantime, the incident represents one of the most serious cases in recent years in the Italian healthcare sector and calls for careful reflection on the digital security of medical platforms.
Analysis by Vasily Kononov – Threat Intelligence Lead, CYBEROO
