The hacker, who goes by the name of "thedarkoverlord," is also holding the records for ransom, asking the as-yet-unnamed healthcare organizations to pay $100,000, $205,000 and $411,000 for the databases, according to two published reports.
The hacker has described the databases as coming from Farmington, Mo, (48,000 patients), the central/midwest states (210,000 patients) and Georgia (397,000 patients).
The data breach and subsequent online sale was originally reported by the news site Deep Dot Web; patient records include those of Blue Cross Blue Shield.
The hacker claimed to have already sold $100,000 worth of records from the Georgia healthcare organization, according to the online publication Motherboard.
Motherboard, which claimed it spoke with the hacker, said it was provided with a sample of 30 patient records, which it used to confirm the patients' identities by calling them on phone numbers provided in the records.
"Someone wanted to buy all the Blue Cross Blue Shield insurance records specifically," the hacker told the publication. The hacker went on to say that the ransoms he was requesting from the healthcare organizations were "modest" amounts "compared to the damage that will be caused to the organizations when I decide to publicly leak the victims."