Search Results : “peachtree orthopedic”

Oct 132016
 

Months after it was hacked by TheDarkOverlord, a second Atlanta orthopedic clinic notifies patients.

Peachtree Orthopedic Clinic in Atlanta has disclosed that they were hacked. WSBTV has the story. But the hack wasn’t on September 22 as the news cast seems to suggest – that’s just when they confirmed it.

This is all quite interesting, because I had reported on August 15 that they were investigating and the FBI was assisting. And as I noted in my report back then, everything I knew and had uncovered pointed to this being the work of TheDarkOverlord, who had actually given me the first clue to the breach at the end of June.

So when was Peachtree actually hacked? And did the hack exploit RDP, some patient management software, or was this a case of a patient records management vendor having compromised credentials?

There’s a lot more to ask Peachtree Orthopedic. Maybe this time, their external counsel won’t call me to tell me I’ve got wrong information. We’ll see…

In the meantime, here is their notice from their web site:

Patient care is at the center of our mission and we take seriously the confidentiality of the information we hold. We regret to inform you that on September 22, 2016 we confirmed an unauthorized intrusion into our computer system. We took immediate action and are working closely with forensic experts and the FBI to investigate and address the situation.

While our investigation is ongoing, we have found evidence indicating that information such as patient names, home addresses, email addresses, and dates of birth was potentially taken. In some cases the patient’s treatment code, prescription records, or social security number may also have been taken.

If you were a patient at Peachtree Orthopaedic Clinic prior to July 2014, you may be affected. In a small number of cases, patients who visited Peachtree Orthopaedic Clinic after July 2014 may also be affected.

Our investigation is in its early stages, but we felt it was important to communicate what we know at this time. We regret any anxiety or frustration that this causes you and are committed to supporting you.

We are reaching out directly to those affected via mailed letters and are offering one year of free identity protection services, including credit monitoring for affected individuals. In this letter, we will also outline other steps you can take to protect your identity, as well as information on how to access the free identity protection services.

If you have any questions, we have established a dedicated call center, which can be reached by calling (844) 801-5973 between 9 a.m. and 9 p.m. ET, Monday-Friday.

Thank you for your patience and understanding as we work through our investigation and try to provide you the best information and support that we can. We will share further information as we are able.

Sincerely,

Mike Butler

CEO, Peachtree Orthopaedic Clinic

Update 1:  Later today, TDO issued a press release with some patient information and a link to a dump of some internal documents. But then, I never doubted they did this one. I assume that they’re trying the same failed strategy of naming entities and dumping some sensitive data to put pressure on the entity to pay an extortion demand, which they acknowledge they made.

From their statement today:

It all began many months ago when we acquired 543k patient records which contain both PII and PHI – well before the date of breach notice and alleged date of breach. 543,879 records for anyone counting. Oh, the things one could do with so much data! Some of you have been so kind as to suggest what to do with it all (Hello, ICIT!).

After letting the records collect dust in a folder somewhere for months, we went to Peachtree Orthopedics – like Athens Orthopedic – and proposed a solution to the dilemma – we have data that they don’t want to us to have. With us both running a business, we hoped for a speedy resolution so we can go our separate ways – it was anything but.

I’m not reproducing the rest of their release, but looking at the internal documents, it looks like it was exfiltrated on or about May 18. That makes sense given that TDO first told me on June 29 about a hack of an Atlanta clinic with Atlanta Braves players’ info.

But if the data were hacked in May, when did POC first discover the breach? In mid -August, one of their employees told me that they had been investigating with the assistance of the FBI. But how did they first learn of the breach, and when? How is it that they were unable to confirm the breach until September 22? When did TDO first contact them with their extortion demand?

Update2: I just took at look at the internal docs TDO dumped. There are some tax return-related data, a bunch of insurance billing codes, some personal information on patients and staff, a copy of the liability insurance policy, a file curiously named or renamed “CV of doctor to ransom.pdf,” and  a plain text file with the names of insurance companies, their tax ID number, and the login credentials to every insurance site. The login credentials are pretty pathetic. Here are just a few, because I would hope that they have changed them already since they’ve known about the hack for a while:

Aetnahttps://www.aetna.com/provweb
Log In: PEACHTREE2001
Password: BILLING2001

Assurantwww.assurantproviders.com
Login: poc2001      Password: billing01

AARPhttps://aarpprovideronlinetool.uhc.com
Log In:     bpoc         Password: billing1

UNICARE
www.unicare.com
Log In: ORTHO2001
Password: 2001billing

Update3: This breach was reported to HHS on November 18 as affecting 531,000 patients.

 

Jun 242017
 

“We’ll not be caught, ever.”
— TheDarkOverlord, June 21, 2017

At this rate, the criminals known as TheDarkOverlord may be right. But if they escape accountability for their criminal acts, what about those who were responsible for securing our protected health information? Have they also escaped accountability and will they continue to escape accountability?

Since June 2016, DataBreaches.net has reported on hacks of healthcare entities by TheDarkOverlord (“TDO”).  At times, fellow journalists and I have expressed concerns about TDO gaming the media, i.e., using our reporting to put pressure on their victims to pay extortion demands. And there was also the issue that in the early days, TDO was flat-out lying to journalists about some things, lies that some of us may have unknowingly repeated.

Over time, some journalists pretty much stopped reporting on TDO. This site didn’t stop, because patients need to be alerted that their data have been hacked, and the healthcare sector needs to be reminded that these threats exist and are ongoing – and that they need to take proactive measures to defend against such attacks. To the extent such coverage may inadvertently help TDO boost their brand as attackers, well, that’s unfortunate, but I still think the public needs to be informed about what’s going on in the healthcare sector when it comes to protecting our information.

And while many fellow journalists do not report on the ongoing healthcare sector breaches, DataBreaches.net notes that for the most part, the media has not been asking enough questions, or the right questions.

First, let’s review what we know about claimed TDO hacks in the healthcare sector. I’m linking to previous coverage of them, where there’s been coverage:

  1. Athens Orthopedic Clinic
  2. Peachtree Orthopedics
  3. OC Gastrocare   
  4. An unnamed clinic in New York   and an  unnamed clinic in Oklahoma ??
  5. Aesthetic Dentistry    (New York)
  6. Prosthetic & Orthotic Care
  7. Midwest Orthopedic Pain & Spine
  8. Little Red Door Cancer Services of East Indiana
  9. Tampa Bay Surgery Center
  10. La Quinta Center for Cosmetic Dentistry
  11. Feinstein & Roe
  12. Dougherty Laser Vision
  13. Coliseum Pediatric Dentistry (aka Hampton Road Dentistry) 

A few notes on the above:

  1. The data from the unnamed clinic in New York were never proven to have come from a clinic, as the data were PII. The unnamed clinic in Oklahoma was also questionable as it appeared to be old data and there wasn’t much of a sample provided for verification purposes. It is not clear, therefore, whether these should be counted as incidents.
  2. Of four incidents recently revealed by TDO on Twitter (before their @tdohack3r account was suspended), there were data dumps for two of them. There were no data dumps for Dougherty Laser Vision or for Coliseum Pediatric Dentistry, although TDO provided this site with sample patient records for each claim for verification purposes.
  3. Of special note: there is no evidence that the most recently disclosed hacks were actually recent hacks. Some of these hacks appear to have occurred last year, although it’s not clear when the entities may have first discovered they had been hacked.

Keeping the above in mind, and that most of the hacks ultimately resulted in data dumps or data put up for sale on the dark web, why hasn’t the media been asking:

  • How many of the twelve confirmed breaches were reported to HHS?
  • How many of the twelve confirmed breaches were reported to state regulators?
  • How many of the twelve confirmed breaches resulted in notifications to the affected patients?

Let’s take those questions one at a time. First, only four of the 12 confirmed breaches appear to have been reported to HHS:

  • Athens Orthopedic Clinic
  • Peachtree Orthopedics
  • Prosthetic & Orthotic Care
  • Midwest Orthopedic Pain & Spine

Now that may be because not all entities are HIPAA-covered entities.  And you may be thinking that some of the newer breaches are still within the 60-day window, but TDO informs this site that their victims (whom they prefer to call “clients”) have known for months about the breaches.

So why haven’t 8 of the 12 breaches been reported to HHS?  DataBreaches.net has filed under Freedom of Information to ask whether HHS received reports on these incidents but has received no response from HHS as yet.

In answer to the second question:  none of these breaches seem to show up on publicly available state regulator web sites that list breach reports. Because some of these entities are in California, and because California requires breach notification for medical, you might think that we’d see some of these on California’s breach list, but no. So DataBreaches.net has filed public records access requests with both the California Attorney General’s Office and with the California Department of Public Health for any breach reports for these incidents. We have received no response as yet (SEE UPDATE, BELOW).

As to the third question about notification to patients, DataBreaches.net could only find confirmation of patient notification for  the incidents reported to HHS and for the Little Red Door Cancer Services of East Indiana. Other entities did not respond to this site’s inquiries as to whether they had notified their patients, and this site could find no substitute notices or public notices, although it’s possible the notices were in local media not indexed by Google.

Of note, however, DataBreaches.net did contact patients of some of these entities, who claimed that they either did not receive, or did not recall receiving, any notification from at least two of the entities: Aesthetic Dentistry in New York City and Coliseum Pediatric Dentistry in Virginia. Neither entity had responded to inquiries from this site as to whether they had notified patients.

So here’s my request to the public:

If you were affected by one of the TDO incidents listed below, did you receive a notification letter from the doctor’s office or group about it?  You can use the comments section to answer, but if you have a notification letter you can send me, let me know.

And depending on the answers we get to the questions in this post, perhaps we should add one more question:

What, if anything, will HHS and state regulators do if they learn that entities have not reported breaches to them and/or to patients?  Will this get swept under a rug because the HHS breach tool is viewed by some as “too punitive?” Or will someone actually investigate to see whether patient information had been reasonably protected and patients notified of any breach? 

Update 1 July 6:  On June 23, DataBreaches.net filed public records requests with the California Attorney General’s Office and California Department of Public Health (CDPH), requesting any records filed by the following entities under California Civil Code Sections 1798.29 or 1798.82, or California Health and Safety Code Section 1280.15:

  • Feinstein & Roe
  • La Quinta Center for Cosmetic Dentistry
  • Dougherty Laser Vision
  • OC Gastrocare

On June 30, the California DOJ declined the request, responding, “We have not located any records responsive to your request.”

So none of those four clinics reported any alleged breaches to the DOJ and as of today, only one of seven entities (Tampa Bay Surgery) has reported anything to HHS.

DataBreaches.net subsequently obtained confirmation from reliable sources with firsthand knowledge who confirmed that OC Gastrocare had not reported any incident to HHS, to the state, or to any patients.  It is this site’s understanding that they are actively investigating the claimed hack.

Other entities contacted by DataBreaches.net did not respond to inquiries.

May 042017
 

While thousands of their followers on Twitter seem to be eagerly waiting for TheDarkOverlord (TDO) to dump more tv films or episodes of popular series, TDO went non-fiction this morning, dumping patient/medical records from some of their hacks in the healthcare sector last year.  All told, almost 180,000 patients had their personal information shared with the world.

Two of the incidents were previously known to this site, and had already been included in monthly analyses provided by this site to Protenus for their Breach Barometer reports. But for the benefit of those readers or journalists who seem to be first discovering TDO, here’s a list of some medical entities that TDO attacked last year (links are to mentions of the incidents on this site):

DataBreaches.net strongly suspects that there are other medical clinics that were also attacked but never disclosed publicly.

In addition to medical clinics/providers and insurers, TDO’s victims have also included software and third-party vendors like PilotFish Technology, Quest Records Management, and the still-unnamed third-party vendor of a health insurer where 9.3 million records were listed for sale on TheRealDeal. And then there were that attacks in other sectors, like the attacks on WestPark Capital, Gorilla Glue , Pre-Con Products, G.S. Polymers, DRI Title, and other entities.

For those who are new to TDO’s playbook, be aware that if they dump databases, it’s usually because the entities would not pay their extortion demands and there is no market for the data or no longer any market for the data. Dumping the database is often part of their strategy to send a warning to future victims that they should pay up or suffer the same fate of having their customer/patient/proprietary information dumped or sold.

Using the media to promote their reputation as dangerous hackers who follow through on their threats is also part of their playbook, which may explain why they have dropped three databases todayWhatever their reasons, here’s what we know so far about today’s three newly dumped databases:

Aesthetic Dentistry 

Aesthetic Dentistry in New York City was hacked by TDO last year. It was clear from what TDO tweeted last year that Aesthetic Dentistry was not about to pay TDO any extortion. Showing a healthy dose of New York attitude, the intended victim had allegedly responded to TDO’s attempts to extort them with this reply:

 “Go f… yourself. Kisses from Aesthetic Dentistry or should I needly say kiss Aesthetic Dentistry FAT ASS.”   

Attempting to increase pressure on them, TheDarkOverlord issued a press release on Pastebin and dumped some of their patients’ data. The October 14th statement is still publicly available, although the paste with the selection of patient data was removed by Pastebin.

Despite the public pressure of revealing named patients’ medical diagnoses and other details, it would appear that Aesthetic Dentistry still did not pay the undisclosed amount TDO sought.

Today – seven months after their initial disclosure – TDO tweeted:

“Don’t mind us as we dust off 3.5k dentistry patient records:”

The database, in .csv format, contains 3,496 patient records, where the field headings include a wealth of personal information, some health insurance information, information on the referrer, and some payment information. All of the identity information is in plain text. What may be of especial concern to patients, apart from the risk of fraud, is the disclosure of their health information. Diagnoses included in the database included cardiac diagnoses such as heart murmur, hypertension, kidney diseases, psychiatric conditions such as depression, and various allergies and sensitivities, etc.

Aesthetic Dentistry never responded to inquiries sent to them in January and February by this site. And because the incident never appeared on HHS’s public breach tool, DataBreaches.net filed a Freedom of Information request in February with HHS as to whether this incident had ever been reported to HHS. DataBreaches.net has still not received a response to that simple FOI request.

OC Gastrocare

OC Gastrocare in California is another entity that TDO hacked last year and that they had also attempted to extort. As with Aesthetic Dentistry, TDO did not publicly reveal how large the extortion demand was, and used a statement on Pastebin to try to increase pressure on them to pay.

Today, after first tweeting a link to the Aesthetic Dentistry data dump, TDO tweeted:

“Let’s add a zero to the last figure. Another clinic (OC Gastro) who has also mistreated us and their patients:”

Note that TDO’s concept of “mistreated us” often translates into: (1) the entity refused to pay their extortion demands, and/or (2) the entity ignored their demands altogether, which TDO has indignantly suggested is “unprofessional” on the victims’ parts. To this day, TDO’s public statements often reveal that they try to present themselves as “professionals” (e.g., signing their demands as “professional adversary” or providing legal-sounding “contracts” with extortion terms). TDO has occasionally commented to this site that they believe clinics are not doing right by their patients by refusing to pay “modest” extortion demands that could protect the patients’ privacy. In other cases, they had informed this site in encrypted chats that they had found what they believed was evidence of entities covering up other wrongdoing.

So how did OC Gastrocare allegedly “mistreat” their patients? By not paying an extortion demand? It’s uncertain, as TDO has yet to explain it.

The OC Gastrocare data contains approximately 34,100 patient records. As with Aesthetic Dentistry’s records, information such as date of birth and Social Security number are in plain text.

Tampa Bay Surgery Center

The third database TDO dropped today actually came as a surprise to this site, as I don’t recall ever seeing any mention of it before:

“Into the hundred thousand range we go. However, this clinic didn’t do anything wrong except annoy us.”

The .csv-formatted database contains more than 142,000 patients records. And yes, date of birth and SSN were in plain text. There did not appear to be any health insurance information in this particular database.

Wait, What?

Here are a few things to mull over:

None of these three incidents appear on HHS’s public breach tool. Why not? Were they reported to HHS, and if not, should they have been?

Were the patients of these three entities ever notified of the incidents? At least two of these incidents were never disclosed on the victims’ web sites – at least as far as I could determine for Aesthetic Dentistry and OC Gastrocare. Because I did not know about Tampa Bay Surgery Center until today, it’s possible that there had been a notice on that site that I never saw, although I have found no evidence or archived copy anywhere if there was one.

DataBreaches.net has sent some emails to patients of of Aesthetic Dentistry and OC Gastrocare to inquire whether they ever received notification of the breaches. One patient of Aesthetic Dentistry has already responded, but stated that he does not recall whether he ever got any notification from them. Neither Aesthetic Dentistry nor OC Gastrocare responded immediately to emails sent to them today asking if they had ever notified their patients and asking for their reaction to TDO dumping their patients’ data.

This post will be updated if more information becomes available.

Protenus’s October Breach Barometer is available

 Posted by at 4:01 pm  Breach Incidents, Commentaries and Analyses, Health Data, Of Note, U.S.  Comments Off on Protenus’s October Breach Barometer is available
Nov 162016
 

As it has done in past months, Protenus has compiled a monthly report on health data breaches in the U.S. that were disclosed during October. Their analyses are based on data and information provided by this site and blogger. Of special note: in the past two months, we have now learned of two incidents affecting at least five covered entities where there was irretrievable patient data loss as a result of a ransomware attack. For at least four of the reporting entities, the data loss occurred at the business associate during recovery from the attack.

Note that incidents included in the monthly Breach Barometer do not always match HHS’s public breach tool for the month, because some incidents are added to the breach tool in the month or months following first public disclosure of an incident, and some incidents never appear on HHS’s breach tool because they are either under-500 or are never reported to HHS for various reasons.

The October report was based on incidents involving the following entities:

  • Aesthetic Dentistry
  • Anne M. Cummings, M.D., F.A.C.P.
  • Anthem, Inc.
  • Apria Healthcare
  • Baxter Healthcare
  • Baxter Regional Medical Center – Home Health Facility
  • Baystate Health
  • Bedford County Board of Education
  • CalOptima
  • Curtis F. Robinson, MD
  • Dr. Dennis T. Myers, D.D.S., P.A.
  • Florida Hospital
  • Francisco Jaume, D.O. (Yavapai Orthopaedics)
  • Fred’s Pharmacy
  • Gibson Insurance Agency, Inc.
  • Group Health
  • Health Access Network
  • Horizon The Health Center
  • Integrity Transitional Hospital
  • Lee Memorial Hospital
  • Mercy Hospital & Medical Center
  • MGA Home Healthcare Colorado, Inc.
  • Peabody Retirement Community
  • Peachtree Orthopedic Clinic
  • Rainbow Children’s Clinic
  • Richard E. Paulus
  • Richard H. Hutchings Psychiatric Center
  • Rite Aid
  • Singh and Arora Oncology Hematology, P.C.
  • The Finley Center for Acupuncture and Naturopathic Medicine
  • The Seattle Indian Health Board
  • Thomasville Eye Center
  • University of Wisconsin Hospitals and Clinics Authority
  • Vermont Health Connect
  • You and Your Health Family Care, Inc.

Many of the incidents, but not all, were reported on this site and can be found by using the “search” function.

You can find Protenus’s Breach Barometer for October here.

And after you’ve read the report, also read HIStalk’s interview of Robert Lord, CEO of Protenus, as he really articulates the challenges beautifully, e.g.:

Healthcare is fundamentally facing a crisis in trust in our systems. We’re increasing the amount of data we collect. We’re increasing the analytics that we’re performing. We’re increasing interoperability. We need all these things to deliver the promise of better care, better patient satisfaction, and decreased cost. In no way do we want to stand in the way of all of this great data-sharing.

Simultaneously, if we can’t build that trust in the system, if we can’t establish a new paradigm for how we’re going to protect all this data and make sure people are accessing data appropriately, then we’re going to lose all of these benefits in the long run.

Aug 152016
 

At the end of June, DeepDotWeb broke the story that hackers calling themselves TheDarkOverlord (TDO) had put three databases with patient information up for sale on the dark net.  Although the owners of the databases were not listed, DataBreaches.net was able to identify two of the three entities as the Athens Orthopedic Clinic (AOC) in Atlanta and Midwest Orthopedic Pain and Spine (MOPS) in Farmington, Missouri. Both entities reportedly received ransom demands from TDO to pay up if they wanted their patient data destroyed and not sold, but as of August 6, no ransom had been paid, according to TDO. Whether any has been paid since then is unknown, but doubtful.

The third database, from an entity originally described as being in the midwest but later identified more specifically as being in Oklahoma City, was never identified by DataBreaches.net nor named by TDO. TDO later claimed that they wouldn’t be naming them because the entity had paid the ransom and their for-sale listing was removed from TheRealDeal Market. But paying any ransom does not negate any obligations under HIPAA and HITECH to notify patients and HHS of a breach, and DataBreaches.net notes that there is currently no entry on HHS’s public breach tool that would correspond to any incident in Oklahoma affecting approximately 210,000 patients. Either the Oklahoma City entity did not report the incident to HHS, they reported but HHS has yet to post the report, or TDO fabricated claims about an OKC database paying ransom to boost its reputation. Given that TDO lied to some news outlets (including this one) in other claims, any of the three explanations seem possible at this point.

The day after they created headlines over those three databases for sale, TDO also listed for sale what they described as an insurer’s database with 9.3 million records. After attempting to contact people whose data were included in an expanded sample of data provided to this site by TDO,  DataBreaches.net suspected that the database was linked to United Healthcare, but UHC denied it was their data. As I noted in my report, their denial statement did not really rule out that it was one of their vendors. In a recent encrypted chat with a TDO spokesperson, the spokesperson claimed that the data had come from a vendor who was a lead generator for UHC but that UHC was “responsible.” TDO did not clarify what they meant by that and did not name that vendor.

To the best of DataBreaches.net’s information, no ransom was paid in that situation, either.

In July, TDO started leaking some of the AOC and MOPS patients’ information on Pastebin, while yet three more entities had their patient databases listed for sale on TheRealDeal. DataBreaches.net was able to identify two of three, and as I had done with AOC, notified those two promptly to alert them that their patient data appeared to have been compromised: Prosthetic & Orthotic Care, Inc. (P&O Care), who  would also have patient data and images leaked on Pastebin and Twitter, an entity in New York that DataBreaches.net was unable to identify, and PilotFish Technology (PFT). The source code for the latter was subsequently listed for sale on AlphaBay (see InfoArmor’s detailed analysis of the code and the risks it poses).

In an encrypted chat, TDO confirmed to DataBreaches.net that they had attempted to extort PFT. As far as DataBreaches.net knows, neither P&O nor the unnamed NY entity paid any ransom. So far, then, the only publicly mentioned entity/victim that may have paid any ransom is an unnamed OKC entity.

TDO’s business model of attempting to extort entities in the healthcare sector via putting their databases up for sale, naming them if they resisted paying ransom, and then leaking patient data and alerting the media to such developments to increase the pressure on the victims, does not appear to have had any clear commercial success. Given that they were demanding fairly high ransoms, one can only wonder if their model might have worked if they had demanded smaller ransom amounts, although RexMundi also encountered refusal to pay ransom in their European-based attacks.

But even if the extortion business model appeared to be something of a commercial flop as publicly executed, the fact remains that a number of entities in the healthcare sector had their patient or client information hacked and acquired – and put up for sale. And in addition to the databases that have been, and remain, listed for sale, other victim entities were alluded to by TDO publicly and in encrypted chats with DataBreaches.net.

Other Entities Investigating

Although a TDO spokesperson told DataBreaches.net and other news outlets that they had a 0day that they used to gain access to some of their targets,  some victims’ disclosures have made reference to compromise of an unnamed vendor’s credentials as being responsible for their breach. Last week, DataBreaches.net became aware that at least two previously unnamed entities are investigating whether that vendor’s breach resulted in compromise of their patient information.

One of those entities is Peachtree Orthopedic Clinic (POC) in Atlanta. In a telephone conversation last Wednesday, an IT employee confirmed to DataBreaches.net that they have been investigating for weeks, trying to assess what may have happened and that the FBI has been assisting them. The employee also confirmed that they were a client of the vendor that DataBreaches.net has been able to identify and names later in this report.

Several pieces of information had led me to suspect that POC might have become a victim of TDO, but I’ll only mention two of them here for now. One piece was that POC’s web site has a section on Team Affiliations that lists the Atlanta Braves and other teams.  As I had reported on June 29, TDO had informed me in a private chat that they intended to release a database that day that I had described in my report as relating to a “major Atlanta sports team.”  That team had actually been named by TDO to me as the Atlanta Braves. But TDO had also informed me that it was not the Atlanta Braves organization that had been hacked but another entity – a clinic – that was involved with the Atlanta Braves and other sports teams, a description that matches POC’s web site.

Second, POC is an orthopedic clinic, and TDO had hit other orthopedic clinics, including Athens Orthopedic Clinic, which, like Peachtree, is also in the Atlanta area.

Several hours after my phone conversation with the POC employee and my follow-up email to POC requesting a statement for publication, I received a phone call from their external counsel, Richard Sheinis of Hall, Booth, Smith, P.C. Mr Sheinis said he was calling to inform me that information in my email to them was inaccurate and that I had been given “bad information.” He would not specify exactly what in my email to them was inaccurate. Nor would he confirm nor deny whether POC had been hacked. Basically, then, I am not sure what they think I may be wrong about, but if they would like to provide a statement or correction, I will be happy to post it. For the time being, though, note that there is no confirmation or denial from POC that POC patient data has been compromised.

Another entity that is currently investigating whether their patient data may have been compromised is SSM Health in Missouri.  A spokesperson for SSM neither confirmed nor denied that they had been hacked, and provided the following statement to DataBreaches.net:

We are currently working with members of law enforcement to evaluate the extent to which one of our business partners has been compromised by a cyber-attack. As this is an active investigation, we can offer no additional details at this time. We remain vigilant in continuously monitoring our systems and take very seriously our role in safeguarding patient information.

DataBreaches.net has seen no real evidence that SSM patient data were hacked or acquired, and no TDO spokesperson ever mentioned “SSM” during any encrypted chats.

A third previously unknown and potential victim of TDO remains somewhat controversial due to a common name. One member of TDO told DataBreaches.net that “Mercy Healthcare” was one of their victims, and described Mercy as a large midwest system. But  Mercy in Missouri (where other victims are located) firmly denied that they were hacked.  MercyCare in Atlanta also firmly denied to DataBreaches.net that they had been hacked. But based on unconfirmed information received by this site, there may be at least two groups of hackers claiming that an entity named “Mercy” was hacked and/or had their patient data downloaded as a result of the vendor’s file.  DataBreaches.net does not know whether either of the two “Mercy” entities mentioned above were clients of the vendor in question.

Illinois Vendor Named

Quest Health Information Management Solutions/Quest Records LLC are based in Swansea, Illinois. They describe their services as “a spectrum of release of information and document management services in order to help our clients focus on providing the highest quality of care to their patients.” While no TDO victim has actually named  the vendor they blame for their breach, a recent statement by AOC quoted in an OnlineAthens report described the vendor as a “nationally-known healthcare information management contractor.”

Quest_2

Third-party vendors can provide a wealth of login credentials to clients’ data. In this case, DataBreaches.net was informed by a source that an inadequately secured Quest Records LLC file on Dropbox  put all of that vendor’s clients at risk because it allegedly contained their login credentials in plain text. And although DataBreaches.net has not been able to get confirmation of this, TDO reportedly did not hack the vendor, but rather, came into possession of the file acquired by other hackers. They then purportedly used it to attack and extort the vendor’s clients.

QuestHIMS_1

A Google search indicates that Quest Records LLC’s site may be hacked. 

In response to an inquiry from DataBreaches.net, Quest Records claims that they first learned that they had been compromised in April. In a statement provided to DataBreaches.net last week, they wrote:

CHICAGO, IL (August 9, 2016) – On April 21, 2016, Quest Records discovered a data security incident involving its computer systems. Quest Records immediately began an investigation, and retained a third party computer forensic firm to assist. Quest Records previously notified its clients of the incident, and is cooperating with the FBI as they investigate as well. Quest Records takes the security and confidentiality of information in its systems very seriously, and has taken significant steps to further enhance the security of its systems.

Quest’s CEO Chad Gray declined to provide further information as to when clients were notified and exactly what they had been told or advised. Gray’s biography on LinkedIn shows that he was employed by SSM Health as Director, Medical Management, from 2004 – 2008.

DataBreaches.net has been trying to obtain copies of Quest Record’s notification letters, and will update this post if the information is obtained.  But this site’s current understanding is that the credentials in the Quest Records file that had been acquired on or before April 21 still worked when TDO attempted to use them in May to steal data from Midwest Orthopedic Pain & Spine. And the credentials in that Quest Records file allegedly still worked on June 14 when TDO attacked Athens Orthopedic Clinic.

So when were AOC and MOPS notified by Quest Records and what were they told? Did they have adequate notice to change their passwords and protect themselves from TDO? Did other clients?


See also: Athens Orthopedic Clinic incident response leaves patients in the dark and out of pocket for protection


How Many Other Victims?

And how many other clients of Quest Records LLC may have had their patient information hacked or may still be at risk? DataBreaches.net does not know, but would not be surprised if there were a number of clients currently investigating to determine if their patient data was accessed or acquired. In an encrypted chat, TDO had indicated that there were “tons of clients,” and that they had all been attacked. That may have been hyperbole, but it is still cause for concern.

If you have specific information,  or a copy of Quest Records’ notification to clients, please contact me on Jabber at [email protected] or see the home page of DataBreaches.net for my public encryption key for email.