Search Results : “athens orthopedic”

Aug 172016 discovered today that two copies of a paste (data dump) with over 860 AOC patients’ information is still available online if you know where to look for it.

I’m providing a redacted screenshot below so patients can get a sense of what these pastes/leaks look like, although I’ve blacked out most of the street addresses, the patients’ last names, their date of birth, Social Security number, and other information that was in these records. The first leak by the hackers was removed after AOC reported it to Pastebin; that leak had 500 patients’ information in the same format as the one below.

Keep in mind that there were over 860 entries like the few you’re seeing below and there was more than one copy of this paste on Pastebin. According to Pastebin, there have been 52 views of this paste as of today.

TheDarkOverlord leaked patient information from AOC on August 3rd with a note "Pay up, Kayo."

TheDarkOverlord leaked patient information from AOC on August 3rd with a note “Pay up, Kayo.” The pastes were still online on August 17, 2016. 

Here are the data fields labels that were in this database, although not all fields had data in them:

PRIMINSGROUPID”,”/SECONDARYINSPOLICYID”,”/SECONDARYINSGROUPID” has reported the two pastes to Pastebin to ask them to remove them promptly, and will check back tomorrow to see if they have been removed.

Update 1 of Aug. 18: On July 25, this site reported that AOC had begun notifying patients (two) days after this site had notified it that a paste with 500 patients’ information had appeared on Pastebin with a note from the hackers. At the time, AOC gave this site a statement that said, in part:

At the same time as all this was going on, we found out about the Pastebin dumps just before your email (yet remain grateful to your letting us know, as well) and have been trying since early Saturday to get the first removed and then the second one since yesterday.

Last night, I discovered that in addition to the two pastes dated August 3rd that I reported yesterday as still being online, there was yet another paste – this one dated July 26 (after AOC’s statement) also still available online. This paste was identified by the hackers as a second copy of another paste. It also contains 500 patients’ details.

Note that these pastes would be very hard for AOC to find as they would not show up in a routine search. But how many entities did the hackers share the links to these pastes with? Each paste was viewed at least dozens of times. has now requested that Pastebin remove this newly found paste, but that paste may put the number of unique patients’ leaked records at about 2,000 or more.  I hope AOC has copies of all these pastes so that they know exactly which patients had their details leaked on Pastebin in addition to being put up for sale on TheRealDeal market.

Update of Aug 22: the pastes are still online, and I have emailed Pastebin again to request removal or an explanation of why they haven’t removed these pastes.

Aug 152016

On June 26, after learning that databases with patients’ protected health information had been put up for sale on the dark web, began investigating and trying to alert the victim entities so that they could take immediate steps to try to mitigate harm to patients.

By that evening, I had sent an email to Athens Orthopedic Clinic (AOC) in Georgia, to say that it appeared that they had been hacked. I followed up the next day via e-mail and a phone call to make sure they received my notification. On June 29, they issued a statement confirming that they were investigating a potential breach that they had first been made aware of in the previous 48 hours.

But their incident response after that point raises questions about any risk assessment and plan for breach response that they may have had in place, and how decisions they made may have negatively impacted the very patients to whom they were and are responsible.

Did AOC’s Response to Ransom Demands Lead to Retribution by Hackers?

Dealing with a ransom demand, as was the case here, is never an easy situation or decision. Paying a ransom does not guarantee that the extorters will not come back at a later time and demand more money. Nor does it guarantee that the criminals will not take the ransom and then sell the patient data on the dark web anyway. There is really no clear guidance for healthcare entities as to how to respond to this type of situation, as HHS’s recent guidance on how to respond to a ransomware demand doesn’t really apply when you know that the attacker actually has all of your patients’ information and is threatening to misuse it, leak it, or sell it.

But ticking off the criminals by telling them that you’ll pay and then not paying, or stringing them along – even if it is at someone’s suggestion – may have backfired for AOC’s patients. Had AOC simply refused to pay the ransom from the outset or had they paid it, TheDarkOverlord (TDO) hackers likely would not have as responded as punitively as they did. According to emails has read, at various points, AOC indicated that it was willing to pay some ransom but needed to work out a payment system. Later, they indicated they were willing to do a wire transfer. At other points, they didn’t respond by deadlines TDO had given them, infuriating the hackers.  Read in sequence, the emails might appear to be stringing TDO along, stalling them, or jerking them around. And according to statements made to by TDO in encrypted chats, some of the public leaks of AOC’s patient information were in direct response to AOC failing to follow through on what it had told the hackers it would do.

The TL;DR version is that TDO informed this site that they were determined to make an example of AOC to show the world that you don’t screw around with TDO. And they even warned AOC. As just one example, a snippet from one of their emails to AOC:

If you continue to play these fucking games with us, a sort of hostage kill off is going to occur and leave thousands of patients records publicly listed and abused with your name signed to all of it as the source.

So would patient data have been publicly leaked or would as much data have been leaked if AOC had made a decision, informed the attackers of that decision, and stuck to it?  AOC’s ever-changing responses and missed deadlines appears to have resulted in more patients  having their details leaked on Pastebin.

Are Patients’ Data Still At Risk?

Although AOC may have become a victim due to a vendor’s failure to secure their credentials, and while AOC trauma surgeon Chip Ogburn wrote a passionate and obviously heartfelt letter to patients assuring them that AOC is  committed to rectifying the data breach, there are also other questions raised by AOC’s incident response.

That AOC didn’t know that they had been hacked and only learned of the hack weeks later when they were alerted to it by this site is not surprising to anyone familiar with breaches. But it still begs the question as to what software or technical safeguards AOC had in place to detect intrusions and the exfiltration of hundreds of thousands of patients’ records that included image files. Both HHS and the FTC may have questions about that.

See also: Quest Records LLC Breach linked to TheDarkOverlord hacks; more entities investigate if they’ve been hacked  

And once AOC confirmed that there had been an intrusion and patient data had been acquired, why didn’t they immediately change all passwords – even after the hackers contacted them and lectured them on their failure to change passwords?  AOC’s statement on their web site says, in part (emphasis added by me):

If you were a patient of any Athens Orthopedic Clinic location or the patient of a doctor or provider who worked with any of our locations on or before June 14, 2016, we regret to tell you that that our electronic medical records system has been compromised and that your personal information is vulnerable.

but has seen correspondence indicating that information of patients seen after June 14 was still accessible to the hackers. These emails indicate that TDO informed AOC in mid-July that they still had access to AOC’s internal network. They even mentioned specific systems that were still vulnerable. Here are some snippets from TDO emails to AOC during June and July:

…. We are still in your system right now in fact. You have done little to mitigate against an advanced attacker. Pulling the internet plug won’t help when you have embedded devices that run over a cellular network.

…. Now up to this point, you should have already changed all the passwords and usernames for all your systems, but they were not changed for all your systems. They should have been amended immediately from the time we sent the first email. We understand it may take a day or two…. However, within a few hours of the second email they should have definitely been changed seeing as how we specifically listed some systems by name. For record, they were not changed even at this time.

It is now over two weeks later, and the passwords are still not changed. Let’s just use the PACS imaging system as an example here. We just logged in a few minutes ago. Even after telling you directly which systems were compromised, nothing has been done to correct the issue.

So why didn’t AOC change all the passwords promptly? Did the FBI or someone advise them not to change the passwords for some reason? Why could the hackers presumably still access the network and patient data weeks after AOC knew they had been hacked?

On July 26, one month after AOC learned they had been hacked, TDO claimed in an encrypted chat with that they still had access to AOC through a backdoor they had installed. does not know if AOC’s consultants have found a backdoor where TDO claimed to have installed one on their network. This site doesn’t even know if they even looked for one where TDO claimed to have installed one. Despite alerting them that there is a claimed backdoor and requesting an opportunity to talk to the security team directly, there has been no direct communication.  Although has no evidence to suggest that TDO continued to acquire more patients’ information after June 14, this site also has no statement from TDO that they didn’t acquire more information. AOC’s patients, some of whom are reportedly already angry and think AOC hasn’t done enough, may understandably wonder whether AOC’s network might still be at risk.

Was More Disclosure in Order?

Patients may also want to ask AOC why it did not disclose  that their data was, and remains, up for sale on the dark web and why they were not informed that some of their personal information had also been publicly posted on Pastebin. The letter sent to patients, which may be some patients’ only source of information, doesn’t disclose either of those facts – or the fact that TDO claimed that they have already sold some patients’ information.

Wouldn’t you want to know if your identity information and other information was up for sale to criminals?  Wouldn’t you want to know if your information might have already been sold? Should AOC have told its patients these things?

AOC’s Inadequate Mitigation of Harm

Under the circumstances, it was somewhat shocking to read that AOC has not offered its patients credit monitoring services. Even though I have been critical of how much such services actually help, it’s almost de rigueur in this day and age to offer such services when identity information has been acquired by criminals.

Does AOC have an insurance policy that covers the costs of a breach? In an email from AOC’s attorney to the hackers on July 2, the attorney claimed that AOC doesn’t have insurance to cover cyber-related losses:

Your  financial demand is significant given that AOC’s current insurance provider does not cover cyber related losses.

Of course, the attorney could have been lying to TDO to try to get them to reduce the ransom demand or to just stall them, but the attorney’s email appears consistent with a recent public statement by CEO Kayo Elliott, quoted by Jim Thompson of OnlineAthens, suggesting that they may not have insurance (or sufficient insurance) for data breaches:

“And of course, they wish we could pay for extended credit monitoring. So do we. We truly regret that we are unable to do so, as we are not able spend the many millions of dollars it would cost us to pay for credit monitoring for nearly 200,000 patients and keep Athens Orthopedic as a viable business. I recognize and am truly sorry for the position this puts our patients in.”

Note that although Elliott refers to “extended credit monitoring,” it is not clear to this site that AOC has offered any credit monitoring services at their expense.

Is AOC running an operation with 17 locations  without any cyber-insurance to cover breach costs? In light of the attorney’s statement and the CEO’s statement, and as much as I hold the hackers responsible for their own conduct, I found myself in agreement with the hackers’ response to the attorney’s email of July 2:

If you have not already, you should advise your client that the year is sixteen past two-thousand and that they should have already had the necessary insurance policies to cover such incidents as this one.

Insurance is part of the cost of doing business, and AOC’s incident response has failed its patients, leaving them with a heavy burden of worrying for years to come whether their identity information is circulating underground and being misused for fraudulent purposes. And of course, any medical/protected health information is forever.

So although feels significant sympathy for AOC and any healthcare entity that gets hacked and has to deal with the breach remediation and response, right now I feel more sympathy for AOC’s patients, who I believe deserve both greater disclosure of the risks they now face and more support than they appear to have gotten so far.

If You Were Affected by This Breach

Because I think AOC did not give its patients enough information and advice to help them protect themselves, here’s my personal advice to AOC patients :

First: If you are an AOC patient who was notified of the breach, your best protection may be to put a  freeze on your credit report – not a fraud alert. If you need to allow merchants or financial institutions to check your credit, you can lift (“thaw”) the freeze, but a freeze will generally give you better protection against misuse of your information than a fraud alert or fee-based credit monitoring service. You can read this article on the pro’s and con’s of fraud alerts vs. credit freezes.  And you can see this information from Georgia on the procedure and the fees for credit freezes if you decide to pursue that route. 

Second: if AOC had or has your current health insurance account information in their files, check your explanation of benefits statements from your health insurer when you receive them each month to see if you recognize all the providers and services. If you don’t recognize a provider, contact your insurer and tell them that you are concerned that there might be fraudsters using your insurance information and ask them to investigate or verify the claim. While it may not be likely that your records will be corrupted by fraudulent use of your health insurance  in ways that could affect your future medical care, it can happen, so don’t take any chances with that. In some cases, you may be able to get a new insurance account number issued, but if you’re a Medicare patient, well, you’re probably out of luck on that. 

Third: run a Google search on your name (as it would appear in AOC’s records) regularly to see if your personal information is showing up in any places it shouldn’t be – such as Pastebin or other sites where hackers leak data. Google doesn’t index all sites, and you may not find yourself even if your data are listed in a dark web marketplace, but you may find something that can clue you that you need to take more steps to protect yourself.  And if you gave AOC your email address, also run a check for that email address on haveIbeenpwnd. If that email address has shown up in any data leaks they have compiled, they will show you where your email address was leaked, and you can sign up for (free) future notifications if that email address shows up in other data leaks. As of today’s date, they do not appear to have indexed the pastes on Pastebin that had more than 1,500 AOC patients’ information. 

Fourth: You have the right to request/demand that AOC delete all information they hold about you. Or at least that’s what they claim in their privacy policy. If you no longer trust them to protect your information or to respond appropriately to any breach, you may wish to avail yourself of this right. Just be sure to get a copy of all your records first, of course. 

Finally, if you have been affected by this breach, you can use the Comments section below this post to let us know, although there’s not much I can really do for you other than to let you vent and connect with others in the same situation. Do not put your name and phone number in any comment or invite attorneys to contact you – I delete personal information to protect my site visitors’ privacy. And I do not allow attorneys to use my Comments sections to advertise for or recruit potential plaintiffs. If they try it, their comment goes straight to trash. Note that all comments are moderated, so any comment you submit may not show up right away.

Update 1: As of last night, the AOC and other databases were still listed for sale on TheRealDeal market (see my previous posts about the ad listing). As of now, they are all gone. Interesting….

Update 2 (Aug. 16): The site received the following comment via e-mail that I am posting with the submitter’s permission:

Data Breach notification letters that ask patients to to procure their own credit monitoring services or to simply put a flag on their account is usually a red flag that there are other things the Covered Entity that allowed a breach to happen are also doing incorrectly. I expect affected patients to form a class action lawsuit, as GA is currently not a state that has a Private Right of Action law. The moral of this story: hire qualified, healthcare specific IT, either internal employee(s) or an outsourced company and pay for security. It can be done, even in small practices. Had this clinic had basic IT security in place, perhaps they could have logged and even blocked access to the hackers.

Amy Wood
President / HIPAA Privacy Officer
Certified Healthcare IT Security Administrator
Certified HIPAA Security Professional
Continuing Education Registered Provider (CA)

ACS Technologies, LLC notes that at this point, we do not have any forensics report or any report that would evaluate the state of AOC’s infosecurity program prior to the breach, although they have stated that they had already hired experts to help them improve their security before the breach.

Update 3 (8-17): Today I found more than 860 AOC patients’ data still exposed online, including their contact details, Social Security numbers, date of birth, and in some cases, insurance info.

Aug 032016

On June 26, reported that several databases with patient information had allegedly been hacked and put up for sale on the dark net by hackers calling themselves TheDarkOverlord (TDO). This site subsequently identified one of the entities as the Athens Orthopedic Clinic in Georgia, and contacted them to alert them that it appeared that they had been hacked.

On July 25, AOC publicly acknowledged that they had been hacked and patient data stolen. Their notification came just days after 500 patients’ information was leaked on Pastebin with a note to the CEO to “pay the f**k up.”

The warning was in reference to a ransom demand of 500 BTC that had been made by TDO on June 27th. At the time, that sum converted to about $335,000.  By the hackers’ calculations, AOC could protect the patient data from disclosure for about $1 per patient, which is considerably less than it would cost AOC to offer its patients credit monitoring services. Despite the bargain rate, the warning issued on Pastebin suggests that AOC was not complying with the ransom demand.

As I noted in my previous reporting, when AOC did confirm and disclose the breach, they did not publicly acknowledge that they had received any ransom demand. Nor did they disclose that patient data had already been leaked on Pastebin.

Today, more of AOC’s patient data was leaked on Pastebin. As is my policy, is not linking to the pastes. There may be more pastes than this site currently knows about, but at least 1,500 more AOC patients apparently had their information leaked today.

In an encrypted chat with a spokesperson for TDO who declined to provide his individual nick or role in the hack and extortion demands, was told that TDO has  already been selling the data on the dark net. The sales, they claim, would not show up on TheRealDeal Market (TRD), which they say they  mainly use as a listing service.

According to the spokesperson, TDO sells data, gives the buyer a chance (time) to misuse it, and then leaks the data publicly so others can also misuse it. If the spokesperson is being truthful ( has no way to confirm or disconfirm these claims), then every AOC patient whose data has been leaked on Pastebin had their information previously sold  to criminals. The spokesperson also stressed that if the patient’s information has not appeared on Pastebin, it has not (yet) been sold.

So far, the TDO spokesperson claims, they have sold anywhere between 5,000 – 6,000 patients’ information. asked AOC to respond to the hackers’ claims and reiterated a request for an explanation as to why they have not publicly acknowledged any ransom demand, and why they have seemingly not informed patients that their information has been leaked. In response, a spokesperson for AOC sent the following statement:

I’m unable to confirm any of what you write about what the hacker has recently told you. AOC continues to work with its team to take all available steps to mitigate the criminal actions of the hacker, to secure its system, and to inform its patients of what has happened. AOC reported the breach to both law enforcement authorities and to HHS and is in the process of fulfilling its notification requirements under HIPAA. As you know, we felt it best to get ahead of the official notification with early notice on AOC’s website, and toll-free line, as well as by providing you a quote early on and releasing information to a few select local media.

In terms of your previous question re ransom demands, we have said to those who ask that there have been attempts at extortion for ransom. As you have reported, paying ransom does not guarantee any further criminal activity will not take place.

We’ve asked Pastebin to take down all the dumps, as anyone can when they see illegal activity, as soon as we find out about them, and that has taken more than 24-48 hours for several.

So if patients know to ask about ransom or whether their data have been publicly leaked, they may find out, but otherwise…? continues to believe that HHS should address this issue as an interpretation of HITECH: should patients be informed of such developments so that they have adequate information to assess their risk?

In the meantime, TDO claims that they have been selling patient records for an average of $17.82 a record, with a low of $5.72/record to a high of $25 per record.

Today, because AOC missed the ransom deadline, TDO raised the ransom demand to 700 BTC. In a statement to, they say:

We are doing our best to ensure that our demands are either met or that further harm comes to AOC and their current and former patients. We hope that the current and former patients understand that Kayo Elliot has the power to cease all of this abuse and drama by satisfying our demands. We have been more than amicable from the beginning and have escalated as a result of non-compliance.

If the past is any predictor of the future, expects to see many more pastes of AOC patient data, and possibly all of the database, which, according to TDO’s listing on TRD, has records on almost 397,000 patients.

AOC patients should not only consider putting a security freeze on their credit reports, but should also be diligent about checking any explanation of benefits (EOB) statements they get from their health insurer, to see if there is any evidence that their insurance account information has been used for insurance fraud.

Jul 252016

On June 26, this site reported that a database with almost 397,000 patient records was up for sale on the dark net. I subsequently tentatively identified the entity as Athens Orthopedic Clinic in Georgia, but they never officially confirmed that it was their data, noting only that they were investigating and had only first found out about the breach – a claim that the TheDarkOverlord disputed. They also acknowledged to this site that they had received an extortion demand.

TDO eventually identified AOC as the entity, but AOC has remained publicly silent – until now.

Over the weekend, 500 patients ‘records from Athens Orthopedic Clinic appeared on Pastebin, with a note to their CEO to “pay the fuck up.” contacted AOC to alert them to the paste and to ask for an update on their investigation and response. The following statement, received this evening, can be attributed to a spokesperson from their PR firm:

We’ve been working hard to determine which patients were affected by the
breach and how. That information was confirmed late last week. Since then we’ve been working hard to be sure we have correct addresses and to get a HIPAA patient notice properly prepared. That process continues with printing and mailing starting tomorrow. I understand HHS/OCR posting needs to happen after breach notification is in the patients’ hands.

At the same time as all this was going on, we found out about the Pastebin dumps just before your email (yet remain grateful to your letting us know, as well) and have been trying since early Saturday to get the first removed and then the second one since yesterday.

AOC is working with authorities.

As of just a few minutes ago, we have a toll-free number live at
844-382-9364 for patients who may hear about the breach before they get
our letter, as well as a statement on the AOC website.

The text of their statement on their web site makes no mention of any extortion demand or their response to it, and does not directly name SRS, whose software the hackers had identified as vulnerable (see Update2, below)

Athens Orthopedic Clinic recently experienced a data breach due to an external cyber-attack on our electronic medical records using the credentials of a third-party vendor. Personal information of our current and former patients has been breached, including names, addresses, social security numbers, dates of birth and telephone numbers, and in some cases diagnoses and partial medical history.

We apologize for the stress and worry this situation may cause our patients and their families. We are committed to keeping patient information safe and assure you we are doing everything possible to retain your trust in our practice. If you are a current or past patient, we advise you to take the following steps:

1. Call the toll-free number of any of the three major credit bureaus (below) to place a fraud alert on your credit report.

Equifax: (888)766-0008; General: (800) 685-1111,, P.O. Box 740241, Atlanta, GA 30374-0241.

Experian: (888) 397-3742; General: (888)EXPERIAN (397-3742);; 475 Anton Blvd., Costa Mesa, CA 92626.

TransUnion: (800) 680-7289 (888-909-8872 for freeze);; TransUnion Fraud Victim Assistance Department, P.O. Box 2000, Chester, PA 19022-2000. General: (800) 680-7289;

2. Order your credit reports. By establishing a fraud alert, you will receive a follow-up letter that will explain how you can receive a free copy of your credit report. When you receive your credit report, examine it closely and look for signs of fraud, such as credit accounts that are not yours, then continue to monitor your credit reports to ensure an imposter has not opened an account with your personal information.

To protect against such breaches in the future, Athens Orthopedic Clinic has retained cyber security experts to investigate and make recommendations for additional improvements to our system, and have begun implementing these recommendations.

You may contact our toll-free telephone number at 844-382-9364 for additional information. As always, our focus remains on patient care and we appreciate your understanding and patience.

UPDATE1: It looks like TheDarkOverlord decided to contact local media and revealed more about their extortion demands.

UPDATE2: Although TDO had informed this journalist that SRS software was vulnerable, that should not be construed as indicating that they were the third-party vendor being referred to in AOC’s statement – or in the statement by the Farmington entity, also released today.

Note that in emails to AOC released on WGAUradio, the hackers make reference to AOC never changing passwords even after they were notified by the hackers of exactly what some of the compromised systems were. That claim bears further investigation and a statement from AOC as to why they did not change passwords. Were they advised not to, for some reason?