The Georgia Supreme Court has breathed new life into a lawsuit by patients of Athens Orthopedic Clinic (AOC) whose data were stolen by thedarkoverlord in 2016. In a decision issued this week, the judges unanimously reversed the Court of Appeals’ dismissal of the lawsuit, vacated other parts of their ruling, and remanded the case. At issue before the court was how Georgia law would apply the cognizable injury required for standing in a negligence suit under state law. The lower court had granted the clinic’s motion to dismiss based on the majority agreeing that any harm alleged by the plaintiffs was future harm and speculative. The state supreme court agreed with the plaintiffs, however, finding hat they had alleged enough harm to survive a motion to dismiss. The Athens Orthopedic Clinic case was one of thedarkoverlord’s earliest known hacks and extortion attempts in June, 2016. This site’s coverage of the case and its aftermath can be found linked from here. When the clinic wouldn’t pay the extortion demand, the hackers allegedly falsely claimed to have sold some of the data that they had listed on a dark web marketplace. But eventually, the hackers also began publicly releasing actual segments of the patient database on Pastebin. The pastes were downloaded by unnamed others, increasing the risk that patient data was falling into criminals’ hands or was being acquired by those who could and would misuse it. At least one named plaintiff, Christine Collins, alleged that she suffered actual fraudulent activity on her credit card shortly following the attack. To add to the patients’ concerns, AOC announced that it did not have any insurance that would cover it for offering affected patients credit monitoring and/or identity theft restoration services. While the litigation continues to work its way through the courts, one member of thedarkoverlord is preparing to stand trial for his role in the attack on the clinic and four other attacks. Although not identified by name, AOC appears to be Victim 5 in Nathan Wyatt’s indictment. It also appears that AOC was the victim who received the “rap-style” phone threats, allegedly made by Wyatt. AOC reported the incident to HHS in the summer of 2016, but there is still no closing summary on any investigation by OCR, which may mean that they still have an open investigation or case. DataBreaches.net notes that OCR already closed its investigation into other TDO hacks during that same time period, including two of the Missouri victims involved in the Wyatt case: Prosthetic & Orthotics Care and Midwest Orthopedic Pain and Spine. The fact that the AOC case is not closed could mean that the Atlanta region of OCR is just more backlogged than Missouri, or it may be a sign that AOC is not out of the woods with OCR yet. One of the questions OCR may have for AOC may relate to claims by the hackers that even after AOC knew that they had been hacked, they still didn’t change their login credentials to all their systems, even after weeks and two emails from the hackers letting them know that they still had access. Not only might OCR have some questions as to whether that happened, but if it did happen, it might support the plaintiffs’ negligence claims.
“We’ll not be caught, ever.” — TheDarkOverlord, June 21, 2017 At this rate, the criminals known as TheDarkOverlord may be right. But if they escape accountability for their criminal acts, what about those who were responsible for securing our protected health information? Have they also escaped accountability and will they continue to escape accountability? Since June 2016, DataBreaches.net has reported on hacks of healthcare entities by TheDarkOverlord (“TDO”). At times, fellow journalists and I have expressed concerns about TDO gaming the media, i.e., using our reporting to put pressure on their victims to pay extortion demands. And there was also the issue that in the early days, TDO was flat-out lying to journalists about some things, lies that some of us may have unknowingly repeated. Over time, some journalists pretty much stopped reporting on TDO. This site didn’t stop, because patients need to be alerted that their data have been hacked, and the healthcare sector needs to be reminded that these threats exist and are ongoing – and that they need to take proactive measures to defend against such attacks. To the extent such coverage may inadvertently help TDO boost their brand as attackers, well, that’s unfortunate, but I still think the public needs to be informed about what’s going on in the healthcare sector when it comes to protecting our information. And while many fellow journalists do not report on the ongoing healthcare sector breaches, DataBreaches.net notes that for the most part, the media has not been asking enough questions, or the right questions. First, let’s review what we know about claimed TDO hacks in the healthcare sector. I’m linking to previous coverage of them, where there’s been coverage: Athens Orthopedic Clinic Peachtree Orthopedics OC Gastrocare An unnamed clinic in New York and an unnamed clinic in Oklahoma ?? Aesthetic Dentistry (New York) Prosthetic & Orthotic Care Midwest Orthopedic Pain & Spine Little Red Door Cancer Services of East Indiana Tampa Bay Surgery Center La Quinta Center for Cosmetic Dentistry Feinstein & Roe Dougherty Laser Vision Coliseum Pediatric Dentistry (aka Hampton Road Dentistry) A few notes on the above: The data from the unnamed clinic in New York were never proven to have come from a clinic, as the data were PII. The unnamed clinic in Oklahoma was also questionable as it appeared to be old data and there wasn’t much of a sample provided for verification purposes. It is not clear, therefore, whether these should be counted as incidents. Of four incidents recently revealed by TDO on Twitter (before their @tdohack3r account was suspended), there were data dumps for two of them. There were no data dumps for Dougherty Laser Vision or for Coliseum Pediatric Dentistry, although TDO provided this site with sample patient records for each claim for verification purposes. Of special note: there is no evidence that the most recently disclosed hacks were actually recent hacks. Some of these hacks appear to have occurred last year, although it’s not clear when the entities may have first discovered they had been hacked. Keeping the above in mind, and that most of the hacks ultimately resulted in data dumps or data put up for sale on the dark web, why hasn’t the media been asking: How many of the twelve confirmed breaches were reported to HHS? How many of the twelve confirmed breaches were reported to state regulators? How many of the twelve confirmed breaches resulted in notifications to the affected patients? Let’s take those questions one at a time. First, only four of the 12 confirmed breaches appear to have been reported to HHS: Athens Orthopedic Clinic Peachtree Orthopedics Prosthetic & Orthotic Care Midwest Orthopedic Pain & Spine Now that may be because not all entities are HIPAA-covered entities. And you may be thinking that some of the newer breaches are still within the 60-day window, but TDO informs this site that their victims (whom they prefer to call “clients”) have known for months about the breaches. So why haven’t 8 of the 12 breaches been reported to HHS? DataBreaches.net has filed under Freedom of Information to ask whether HHS received reports on these incidents but has received no response from HHS as yet. In answer to the second question: none of these breaches seem to show up on publicly available state regulator web sites that list breach reports. Because some of these entities are in California, and because California requires breach notification for medical, you might think that we’d see some of these on California’s breach list, but no. So DataBreaches.net has filed public records access requests with both the California Attorney General’s Office and with the California Department of Public Health for any breach reports for these incidents. We have received no response as yet (SEE UPDATE, BELOW). As to the third question about notification to patients, DataBreaches.net could only find confirmation of patient notification for the incidents reported to HHS and for the Little Red Door Cancer Services of East Indiana. Other entities did not respond to this site’s inquiries as to whether they had notified their patients, and this site could find no substitute notices or public notices, although it’s possible the notices were in local media not indexed by Google. Of note, however, DataBreaches.net did contact patients of some of these entities, who claimed that they either did not receive, or did not recall receiving, any notification from at least two of the entities: Aesthetic Dentistry in New York City and Coliseum Pediatric Dentistry in Virginia. Neither entity had responded to inquiries from this site as to whether they had notified patients. So here’s my request to the public: If you were affected by one of the TDO incidents listed below, did you receive a notification letter from the doctor’s office or group about it? You can use the comments section to answer, but if you have a notification letter you can send me, let me know. OC Gastrocare Aesthetic Dentistry (New York) Tampa Bay Surgery Center La Quinta Center for […]
While thousands of their followers on Twitter seem to be eagerly waiting for TheDarkOverlord (TDO) to dump more tv films or episodes of popular series, TDO went non-fiction this morning, dumping patient/medical records from some of their hacks in the healthcare sector last year. All told, almost 180,000 patients had their personal information shared with the world. Two of the incidents were previously known to this site, and had already been included in monthly analyses provided by this site to Protenus for their Breach Barometer reports. But for the benefit of those readers or journalists who seem to be first discovering TDO, here’s a list of some medical entities that TDO attacked last year (links are to mentions of the incidents on this site): Athens Orthopedic Clinic Peachtree Orthopedics OC Gastrocare An unnamed clinic in New York Aesthetic Dentistry Prosthetic & Orthotic Care Midwest Orthopedic Pain & Spine Little Red Door Cancer Services of East Indiana An unnamed clinic in Oklahoma DataBreaches.net strongly suspects that there are other medical clinics that were also attacked but never disclosed publicly. In addition to medical clinics/providers and insurers, TDO’s victims have also included software and third-party vendors like PilotFish Technology, Quest Records Management, and the still-unnamed third-party vendor of a health insurer where 9.3 million records were listed for sale on TheRealDeal. And then there were that attacks in other sectors, like the attacks on WestPark Capital, Gorilla Glue , Pre-Con Products, G.S. Polymers, DRI Title, and other entities. For those who are new to TDO’s playbook, be aware that if they dump databases, it’s usually because the entities would not pay their extortion demands and there is no market for the data or no longer any market for the data. Dumping the database is often part of their strategy to send a warning to future victims that they should pay up or suffer the same fate of having their customer/patient/proprietary information dumped or sold. Using the media to promote their reputation as dangerous hackers who follow through on their threats is also part of their playbook, which may explain why they have dropped three databases today. Whatever their reasons, here’s what we know so far about today’s three newly dumped databases: Aesthetic Dentistry Aesthetic Dentistry in New York City was hacked by TDO last year. It was clear from what TDO tweeted last year that Aesthetic Dentistry was not about to pay TDO any extortion. Showing a healthy dose of New York attitude, the intended victim had allegedly responded to TDO’s attempts to extort them with this reply: Attempting to increase pressure on them, TheDarkOverlord issued a press release on Pastebin and dumped some of their patients’ data. The October 14th statement is still publicly available, although the paste with the selection of patient data was removed by Pastebin. Despite the public pressure of revealing named patients’ medical diagnoses and other details, it would appear that Aesthetic Dentistry still did not pay the undisclosed amount TDO sought. Today – seven months after their initial disclosure – TDO tweeted: Don’t mind us as we dust off 3.5k dentistry patient records: https://t.co/o5dewUPA8y — thedarkoverlord (@tdohack3r) May 4, 2017 “Don’t mind us as we dust off 3.5k dentistry patient records:” The database, in .csv format, contains 3,496 patient records, where the field headings include a wealth of personal information, some health insurance information, information on the referrer, and some payment information. All of the identity information is in plain text. What may be of especial concern to patients, apart from the risk of fraud, is the disclosure of their health information. Diagnoses included in the database included cardiac diagnoses such as heart murmur, hypertension, kidney diseases, psychiatric conditions such as depression, and various allergies and sensitivities, etc. Aesthetic Dentistry never responded to inquiries sent to them in January and February by this site. And because the incident never appeared on HHS’s public breach tool, DataBreaches.net filed a Freedom of Information request in February with HHS as to whether this incident had ever been reported to HHS. DataBreaches.net has still not received a response to that simple FOI request. OC Gastrocare OC Gastrocare in California is another entity that TDO hacked last year and that they had also attempted to extort. As with Aesthetic Dentistry, TDO did not publicly reveal how large the extortion demand was, and used a statement on Pastebin to try to increase pressure on them to pay. Today, after first tweeting a link to the Aesthetic Dentistry data dump, TDO tweeted: Let’s add a zero to the last figure. Another clinic (OC Gastro) who has also mistreated us and their patients: https://t.co/3OojH3PrVs — thedarkoverlord (@tdohack3r) May 4, 2017 “Let’s add a zero to the last figure. Another clinic (OC Gastro) who has also mistreated us and their patients:” Note that TDO’s concept of “mistreated us” often translates into: (1) the entity refused to pay their extortion demands, and/or (2) the entity ignored their demands altogether, which TDO has indignantly suggested is “unprofessional” on the victims’ parts. To this day, TDO’s public statements often reveal that they try to present themselves as “professionals” (e.g., signing their demands as “professional adversary” or providing legal-sounding “contracts” with extortion terms). TDO has occasionally commented to this site that they believe clinics are not doing right by their patients by refusing to pay “modest” extortion demands that could protect the patients’ privacy. In other cases, they had informed this site in encrypted chats that they had found what they believed was evidence of entities covering up other wrongdoing. So how did OC Gastrocare allegedly “mistreat” their patients? By not paying an extortion demand? It’s uncertain, as TDO has yet to explain it. The OC Gastrocare data contains approximately 34,100 patient records. As with Aesthetic Dentistry’s records, information such as date of birth and Social Security number are in plain text. Tampa Bay Surgery Center The third database TDO dropped today actually came as a surprise to this site, as I don’t recall ever seeing any mention of it before: Into the hundred thousand range we go. However, this clinic didn’t do anything wrong except annoy us. https://t.co/gAlt5rhOXd — thedarkoverlord (@tdohack3r) May 4, 2017 “Into the hundred […]
In a post yesterday, I reported that protected health information and identity information of patients of Athens Orthopedic Clinic that had been leaked online by hackers remained available to anyone who knows where to look for it. Although it’s frustrating and understandably worrying to patients, I give AOC credit that they tried to find the leaks and plug them. I think patients of another victim of TheDarkOverlord have more cause to be upset with their provider, who neither responded to two notifications from this site that their patients’ information was leaking online nor got the records removed from public view. On June 29, this site contacted Midwest Orthopedic Pain & Spine* in Farmington, Missouri, to alert them that TheDarkOverlord (TDO) had leaked some of their patients’ data. They never responded nor asked me where the data had been dumped. Again on July 23, this site contacted them through their web site contact form to alert them that the patient data was still exposed on Pastebin and to ensure they had the url. Again, I got an auto-responder but no real response. In that July 23 message through his site, I wrote, in part: I am a journalist who contacted you in the past, but got no response. I wanted to make sure that you are aware that your patients’ PHI was dumped on Pastebin weeks ago at http://pastebin.com/[redacted]. I don’t know why you haven’t sought to have it removed. Is there some reason you haven’t contacted Pastebin? They have procedures for removing such things if the entity requests it via email, and they’re usually pretty fast. Your patients’ data have already been downloaded dozens of times, it would seem, so I’d encourage you to seek removal asap before more damage might be done to them – unless law enforcement has advised you otherwise, of course. The Pastebin url is redacted for now in the above message because, despite my messages to them of June 29th and July 23, that June 29th paste – with 499 patients’ information – is still available to anyone who knows where to look for it. It has now been viewed 96 times. Another copy of the same data is also still available on Pastebin and has been viewed 192 times. The patients whose data were exposed in those duplicate pastes are those whose last names begin with the letter “A” and “B.” The types of data in the records may include name, Social Security number, date of birth, address, landline and cellphone number, and other details. On July 23, after sending the message to Midwest, I discovered another paste, dated that day, that contained an additional 1,006 patients’ records in the same format. Here are the headings of the data fields: Record #,Pat.Act.#,Active,Last Name,First Name,MI,Suf.,Address Line 1, Address Line 2,City,State,Zip,SSN,DOB,Sex,Mar.,Stu.,Email,Home Phone, Work Phone,Cell Phone And here is a screenshot – redacted by this site – showing that data were available to anyone who knows where to look for it. DataBreaches.net has today requested removal of the three pastes with patient data from Midwest Orthopedic Pain & Spine, but Midwest’s lack of response and inaction should be investigated by HHS and perhaps the Federal Trade Commission. If readers are aware of other patient data leaks that are still online, please let me know. Not all pastes can be removed (some sites have no removal policy), but Pastebin does have a removal policy and it should be possible to get patient data removed from that site if it’s been uploaded there. — * The medical group reportedly includes Midwest Imaging Center, LLC; Van Ness Orthopedic and Sports Medicine, Inc.; Mineral Area Pain Center, P.C.; Select Pain & Spine; Dr. Christopher T. Sloan, D.P.M.
At the end of June, DeepDotWeb broke the story that hackers calling themselves TheDarkOverlord (TDO) had put three databases with patient information up for sale on the dark net. Although the owners of the databases were not listed, DataBreaches.net was able to identify two of the three entities as the Athens Orthopedic Clinic (AOC) in Atlanta and Midwest Orthopedic Pain and Spine (MOPS) in Farmington, Missouri. Both entities reportedly received ransom demands from TDO to pay up if they wanted their patient data destroyed and not sold, but as of August 6, no ransom had been paid, according to TDO. Whether any has been paid since then is unknown, but doubtful. The third database, from an entity originally described as being in the midwest but later identified more specifically as being in Oklahoma City, was never identified by DataBreaches.net nor named by TDO. TDO later claimed that they wouldn’t be naming them because the entity had paid the ransom and their for-sale listing was removed from TheRealDeal Market. But paying any ransom does not negate any obligations under HIPAA and HITECH to notify patients and HHS of a breach, and DataBreaches.net notes that there is currently no entry on HHS’s public breach tool that would correspond to any incident in Oklahoma affecting approximately 210,000 patients. Either the Oklahoma City entity did not report the incident to HHS, they reported but HHS has yet to post the report, or TDO fabricated claims about an OKC database paying ransom to boost its reputation. Given that TDO lied to some news outlets (including this one) in other claims, any of the three explanations seem possible at this point. The day after they created headlines over those three databases for sale, TDO also listed for sale what they described as an insurer’s database with 9.3 million records. After attempting to contact people whose data were included in an expanded sample of data provided to this site by TDO, DataBreaches.net suspected that the database was linked to United Healthcare, but UHC denied it was their data. As I noted in my report, their denial statement did not really rule out that it was one of their vendors. In a recent encrypted chat with a TDO spokesperson, the spokesperson claimed that the data had come from a vendor who was a lead generator for UHC but that UHC was “responsible.” TDO did not clarify what they meant by that and did not name that vendor. To the best of DataBreaches.net’s information, no ransom was paid in that situation, either. In July, TDO started leaking some of the AOC and MOPS patients’ information on Pastebin, while yet three more entities had their patient databases listed for sale on TheRealDeal. DataBreaches.net was able to identify two of three, and as I had done with AOC, notified those two promptly to alert them that their patient data appeared to have been compromised: Prosthetic & Orthotic Care, Inc. (P&O Care), who would also have patient data and images leaked on Pastebin and Twitter, an entity in New York that DataBreaches.net was unable to identify, and PilotFish Technology (PFT). The source code for the latter was subsequently listed for sale on AlphaBay (see InfoArmor’s detailed analysis of the code and the risks it poses). In an encrypted chat, TDO confirmed to DataBreaches.net that they had attempted to extort PFT. As far as DataBreaches.net knows, neither P&O nor the unnamed NY entity paid any ransom. So far, then, the only publicly mentioned entity/victim that may have paid any ransom is an unnamed OKC entity. TDO’s business model of attempting to extort entities in the healthcare sector via putting their databases up for sale, naming them if they resisted paying ransom, and then leaking patient data and alerting the media to such developments to increase the pressure on the victims, does not appear to have had any clear commercial success. Given that they were demanding fairly high ransoms, one can only wonder if their model might have worked if they had demanded smaller ransom amounts, although RexMundi also encountered refusal to pay ransom in their European-based attacks. But even if the extortion business model appeared to be something of a commercial flop as publicly executed, the fact remains that a number of entities in the healthcare sector had their patient or client information hacked and acquired – and put up for sale. And in addition to the databases that have been, and remain, listed for sale, other victim entities were alluded to by TDO publicly and in encrypted chats with DataBreaches.net. Other Entities Investigating Although a TDO spokesperson told DataBreaches.net and other news outlets that they had a 0day that they used to gain access to some of their targets, some victims’ disclosures have made reference to compromise of an unnamed vendor’s credentials as being responsible for their breach. Last week, DataBreaches.net became aware that at least two previously unnamed entities are investigating whether that vendor’s breach resulted in compromise of their patient information. One of those entities is Peachtree Orthopedic Clinic (POC) in Atlanta. In a telephone conversation last Wednesday, an IT employee confirmed to DataBreaches.net that they have been investigating for weeks, trying to assess what may have happened and that the FBI has been assisting them. The employee also confirmed that they were a client of the vendor that DataBreaches.net has been able to identify and names later in this report. Several pieces of information had led me to suspect that POC might have become a victim of TDO, but I’ll only mention two of them here for now. One piece was that POC’s web site has a section on Team Affiliations that lists the Atlanta Braves and other teams. As I had reported on June 29, TDO had informed me in a private chat that they intended to release a database that day that I had described in my report as relating to a “major Atlanta sports team.” That team had actually been named by TDO to me as the Atlanta Braves. But TDO had also informed me that it was not the Atlanta Braves organization that had been hacked but another entity – a clinic – that was involved with the Atlanta Braves and other sports teams, a description that matches POC’s web site. Second, POC is an orthopedic clinic, and TDO had hit other orthopedic clinics, including Athens Orthopedic Clinic, which, like Peachtree, is also in the Atlanta area. Several hours after my phone conversation with the POC […]