Man gets 30 months for selling thousands of hacked DraftKings accounts

Overview

A Memphis man received 30 months in federal prison for trafficking in compromised DraftKings accounts, highlighting the persistence of credential-based attacks targeting online service platforms. While DraftKings is a sports betting platform rather than a healthcare entity, the case underscores a critical threat facing healthcare practices: credential stuffing attacks and account takeover schemes that exploit weak authentication controls. The same techniques used to compromise tens of thousands of consumer accounts apply directly to patient portals, EHR systems, and practice management platforms where ePHI resides.

Key Developments

• Kamerin Stokes, 23, sentenced to 30 months imprisonment for unauthorized access and sale of compromised accounts
• Sold access to tens of thousands of hacked DraftKings accounts through underground marketplaces
• Attack likely involved credential stuffing—automated login attempts using credentials stolen from other breaches
• Demonstrates the commoditization of stolen access credentials in cybercriminal ecosystems
• Federal prosecution under Computer Fraud and Abuse Act (CFAA), the same statute applied to healthcare data breaches

Industry Impact

This prosecution illustrates how account-based attacks scale rapidly when organizations lack proper authentication controls. For healthcare, the implications are severe: 78% of healthcare data breaches in 2024 involved hacking or IT incidents, with credential compromise as a leading vector. Unlike consumer platforms, healthcare breaches trigger mandatory breach notification, OCR investigations, and potential HIPAA penalties starting at $100–$50,000 per violation.

The case also highlights law enforcement's growing sophistication in prosecuting cybercrimes—enforcement that increasingly extends to healthcare entities failing to implement reasonable safeguards against known threats. OCR's 2024 enforcement actions have emphasized authentication failures, particularly where multi-factor authentication (MFA) was absent or improperly configured.

What This Means for Your Practice

Independent practices face the same credential-based threats at smaller scale but with proportionally higher consequences. Consider:

• Patient portal credentials are frequently reused passwords from compromised consumer sites
• EHR and practice management logins without MFA create single points of failure
• Vendor accounts (billing, labs, telehealth) expand your attack surface
• Per-patient breach costs average $408 in healthcare, with notification costs alone reaching thousands

Immediate actions:

• Enforce MFA on all systems touching ePHI—portals, EHR, email, practice management
• Audit access logs regularly for unusual login patterns or locations
• Review BAAs to confirm vendors implement equivalent authentication controls
• Train staff on password hygiene and credential security
• Monitor credential leak databases for practice-associated email addresses