Just another day on the internet, where hackers are hacking and leakers are leaking and thedarkoverlord is dumping PHI data from american based companies yet again. The associated with this partial leak of data is not anything new, databreaches.net had reported on this a back in august and now thedarkoverlord has partially come public with some of the information stolen from Peachtree Orthopedics and so far its not looking to good for them, nor for thedarkoverlord who keeps attempting to extort companies. As normal the leak was announced from their twitter account and posted to pastebin which contained a link to partial internal documents on mega. Data that was uploaded to mega was in a zip format named poc_documents.zip and totals 19.8mb, when uncompressed this expands to 27.7mb and contains 60 files in the formats of xls, pdf, msg and some of the XLS go back to content creation of 2010 but most of it seems more from 2014/2015. One of the files in the leak contains clear text credentials and links for them to be used for 41 different third party services that Peachtree staff appear to use. Break down of files: shared clear text passwords, pins, usernames and links to third party services totaling 41 different services, patient reports, 2015 tax return for individual, american board of Orthopedics surgery, receipt for a thinkpad yoga, Medicaid Credentialing with pin and link, w9 form, copy of a drivers license, resumes, donation of leave time certifications. In the paste announcement, thedarkoverlord makes note that they have found some FBI agents within the obtained patient data which they claims tops 543,879 records of PHI and PII information.
Months after it was hacked by TheDarkOverlord, a second Atlanta orthopedic clinic notifies patients. Peachtree Orthopedic Clinic in Atlanta has disclosed that they were hacked. WSBTV has the story. But the hack wasn’t on September 22 as the news cast seems to suggest – that’s just when they confirmed it. This is all quite interesting, because I had reported on August 15 that they were investigating and the FBI was assisting. And as I noted in my report back then, everything I knew and had uncovered pointed to this being the work of TheDarkOverlord, who had actually given me the first clue to the breach at the end of June. So when was Peachtree actually hacked? And did the hack exploit RDP, some patient management software, or was this a case of a patient records management vendor having compromised credentials? There’s a lot more to ask Peachtree Orthopedic. Maybe this time, their external counsel won’t call me to tell me I’ve got wrong information. We’ll see… In the meantime, here is their notice from their web site: Patient care is at the center of our mission and we take seriously the confidentiality of the information we hold. We regret to inform you that on September 22, 2016 we confirmed an unauthorized intrusion into our computer system. We took immediate action and are working closely with forensic experts and the FBI to investigate and address the situation. While our investigation is ongoing, we have found evidence indicating that information such as patient names, home addresses, email addresses, and dates of birth was potentially taken. In some cases the patient’s treatment code, prescription records, or social security number may also have been taken. If you were a patient at Peachtree Orthopaedic Clinic prior to July 2014, you may be affected. In a small number of cases, patients who visited Peachtree Orthopaedic Clinic after July 2014 may also be affected. Our investigation is in its early stages, but we felt it was important to communicate what we know at this time. We regret any anxiety or frustration that this causes you and are committed to supporting you. We are reaching out directly to those affected via mailed letters and are offering one year of free identity protection services, including credit monitoring for affected individuals. In this letter, we will also outline other steps you can take to protect your identity, as well as information on how to access the free identity protection services. If you have any questions, we have established a dedicated call center, which can be reached by calling (844) 801-5973 between 9 a.m. and 9 p.m. ET, Monday-Friday. Thank you for your patience and understanding as we work through our investigation and try to provide you the best information and support that we can. We will share further information as we are able. Sincerely, Mike Butler CEO, Peachtree Orthopaedic Clinic Update 1: Later today, TDO issued a press release with some patient information and a link to a dump of some internal documents. But then, I never doubted they did this one. I assume that they’re trying the same failed strategy of naming entities and dumping some sensitive data to put pressure on the entity to pay an extortion demand, which they acknowledge they made. From their statement today: It all began many months ago when we acquired 543k patient records which contain both PII and PHI – well before the date of breach notice and alleged date of breach. 543,879 records for anyone counting. Oh, the things one could do with so much data! Some of you have been so kind as to suggest what to do with it all (Hello, ICIT!). After letting the records collect dust in a folder somewhere for months, we went to Peachtree Orthopedics – like Athens Orthopedic – and proposed a solution to the dilemma – we have data that they don’t want to us to have. With us both running a business, we hoped for a speedy resolution so we can go our separate ways – it was anything but. I’m not reproducing the rest of their release, but looking at the internal documents, it looks like it was exfiltrated on or about May 18. That makes sense given that TDO first told me on June 29 about a hack of an Atlanta clinic with Atlanta Braves players’ info. But if the data were hacked in May, when did POC first discover the breach? In mid -August, one of their employees told me that they had been investigating with the assistance of the FBI. But how did they first learn of the breach, and when? How is it that they were unable to confirm the breach until September 22? When did TDO first contact them with their extortion demand? Update2: I just took at look at the internal docs TDO dumped. There are some tax return-related data, a bunch of insurance billing codes, some personal information on patients and staff, a copy of the liability insurance policy, a file curiously named or renamed “CV of doctor to ransom.pdf,” and a plain text file with the names of insurance companies, their tax ID number, and the login credentials to every insurance site. The login credentials are pretty pathetic. Here are just a few, because I would hope that they have changed them already since they’ve known about the hack for a while: Aetnahttps://www.aetna.com/provweb Log In: PEACHTREE2001 Password: BILLING2001 Assurantwww.assurantproviders.com Login: poc2001 Password: billing01 AARPhttps://aarpprovideronlinetool.uhc.com Log In: bpoc Password: billing1 UNICARE www.unicare.com Log In: ORTHO2001 Password: 2001billing Update3: This breach was reported to HHS on November 18 as affecting 531,000 patients.
“We’ll not be caught, ever.” — TheDarkOverlord, June 21, 2017 At this rate, the criminals known as TheDarkOverlord may be right. But if they escape accountability for their criminal acts, what about those who were responsible for securing our protected health information? Have they also escaped accountability and will they continue to escape accountability? Since June 2016, DataBreaches.net has reported on hacks of healthcare entities by TheDarkOverlord (“TDO”). At times, fellow journalists and I have expressed concerns about TDO gaming the media, i.e., using our reporting to put pressure on their victims to pay extortion demands. And there was also the issue that in the early days, TDO was flat-out lying to journalists about some things, lies that some of us may have unknowingly repeated. Over time, some journalists pretty much stopped reporting on TDO. This site didn’t stop, because patients need to be alerted that their data have been hacked, and the healthcare sector needs to be reminded that these threats exist and are ongoing – and that they need to take proactive measures to defend against such attacks. To the extent such coverage may inadvertently help TDO boost their brand as attackers, well, that’s unfortunate, but I still think the public needs to be informed about what’s going on in the healthcare sector when it comes to protecting our information. And while many fellow journalists do not report on the ongoing healthcare sector breaches, DataBreaches.net notes that for the most part, the media has not been asking enough questions, or the right questions. First, let’s review what we know about claimed TDO hacks in the healthcare sector. I’m linking to previous coverage of them, where there’s been coverage: Athens Orthopedic Clinic Peachtree Orthopedics OC Gastrocare An unnamed clinic in New York and an unnamed clinic in Oklahoma ?? Aesthetic Dentistry (New York) Prosthetic & Orthotic Care Midwest Orthopedic Pain & Spine Little Red Door Cancer Services of East Indiana Tampa Bay Surgery Center La Quinta Center for Cosmetic Dentistry Feinstein & Roe Dougherty Laser Vision Coliseum Pediatric Dentistry (aka Hampton Road Dentistry) A few notes on the above: The data from the unnamed clinic in New York were never proven to have come from a clinic, as the data were PII. The unnamed clinic in Oklahoma was also questionable as it appeared to be old data and there wasn’t much of a sample provided for verification purposes. It is not clear, therefore, whether these should be counted as incidents. Of four incidents recently revealed by TDO on Twitter (before their @tdohack3r account was suspended), there were data dumps for two of them. There were no data dumps for Dougherty Laser Vision or for Coliseum Pediatric Dentistry, although TDO provided this site with sample patient records for each claim for verification purposes. Of special note: there is no evidence that the most recently disclosed hacks were actually recent hacks. Some of these hacks appear to have occurred last year, although it’s not clear when the entities may have first discovered they had been hacked. Keeping the above in mind, and that most of the hacks ultimately resulted in data dumps or data put up for sale on the dark web, why hasn’t the media been asking: How many of the twelve confirmed breaches were reported to HHS? How many of the twelve confirmed breaches were reported to state regulators? How many of the twelve confirmed breaches resulted in notifications to the affected patients? Let’s take those questions one at a time. First, only four of the 12 confirmed breaches appear to have been reported to HHS: Athens Orthopedic Clinic Peachtree Orthopedics Prosthetic & Orthotic Care Midwest Orthopedic Pain & Spine Now that may be because not all entities are HIPAA-covered entities. And you may be thinking that some of the newer breaches are still within the 60-day window, but TDO informs this site that their victims (whom they prefer to call “clients”) have known for months about the breaches. So why haven’t 8 of the 12 breaches been reported to HHS? DataBreaches.net has filed under Freedom of Information to ask whether HHS received reports on these incidents but has received no response from HHS as yet. In answer to the second question: none of these breaches seem to show up on publicly available state regulator web sites that list breach reports. Because some of these entities are in California, and because California requires breach notification for medical, you might think that we’d see some of these on California’s breach list, but no. So DataBreaches.net has filed public records access requests with both the California Attorney General’s Office and with the California Department of Public Health for any breach reports for these incidents. We have received no response as yet (SEE UPDATE, BELOW). As to the third question about notification to patients, DataBreaches.net could only find confirmation of patient notification for the incidents reported to HHS and for the Little Red Door Cancer Services of East Indiana. Other entities did not respond to this site’s inquiries as to whether they had notified their patients, and this site could find no substitute notices or public notices, although it’s possible the notices were in local media not indexed by Google. Of note, however, DataBreaches.net did contact patients of some of these entities, who claimed that they either did not receive, or did not recall receiving, any notification from at least two of the entities: Aesthetic Dentistry in New York City and Coliseum Pediatric Dentistry in Virginia. Neither entity had responded to inquiries from this site as to whether they had notified patients. So here’s my request to the public: If you were affected by one of the TDO incidents listed below, did you receive a notification letter from the doctor’s office or group about it? You can use the comments section to answer, but if you have a notification letter you can send me, let me know. OC Gastrocare Aesthetic Dentistry (New York) Tampa Bay Surgery Center La Quinta Center for […]
While thousands of their followers on Twitter seem to be eagerly waiting for TheDarkOverlord (TDO) to dump more tv films or episodes of popular series, TDO went non-fiction this morning, dumping patient/medical records from some of their hacks in the healthcare sector last year. All told, almost 180,000 patients had their personal information shared with the world. Two of the incidents were previously known to this site, and had already been included in monthly analyses provided by this site to Protenus for their Breach Barometer reports. But for the benefit of those readers or journalists who seem to be first discovering TDO, here’s a list of some medical entities that TDO attacked last year (links are to mentions of the incidents on this site): Athens Orthopedic Clinic Peachtree Orthopedics OC Gastrocare An unnamed clinic in New York Aesthetic Dentistry Prosthetic & Orthotic Care Midwest Orthopedic Pain & Spine Little Red Door Cancer Services of East Indiana An unnamed clinic in Oklahoma DataBreaches.net strongly suspects that there are other medical clinics that were also attacked but never disclosed publicly. In addition to medical clinics/providers and insurers, TDO’s victims have also included software and third-party vendors like PilotFish Technology, Quest Records Management, and the still-unnamed third-party vendor of a health insurer where 9.3 million records were listed for sale on TheRealDeal. And then there were that attacks in other sectors, like the attacks on WestPark Capital, Gorilla Glue , Pre-Con Products, G.S. Polymers, DRI Title, and other entities. For those who are new to TDO’s playbook, be aware that if they dump databases, it’s usually because the entities would not pay their extortion demands and there is no market for the data or no longer any market for the data. Dumping the database is often part of their strategy to send a warning to future victims that they should pay up or suffer the same fate of having their customer/patient/proprietary information dumped or sold. Using the media to promote their reputation as dangerous hackers who follow through on their threats is also part of their playbook, which may explain why they have dropped three databases today. Whatever their reasons, here’s what we know so far about today’s three newly dumped databases: Aesthetic Dentistry Aesthetic Dentistry in New York City was hacked by TDO last year. It was clear from what TDO tweeted last year that Aesthetic Dentistry was not about to pay TDO any extortion. Showing a healthy dose of New York attitude, the intended victim had allegedly responded to TDO’s attempts to extort them with this reply: Attempting to increase pressure on them, TheDarkOverlord issued a press release on Pastebin and dumped some of their patients’ data. The October 14th statement is still publicly available, although the paste with the selection of patient data was removed by Pastebin. Despite the public pressure of revealing named patients’ medical diagnoses and other details, it would appear that Aesthetic Dentistry still did not pay the undisclosed amount TDO sought. Today – seven months after their initial disclosure – TDO tweeted: Don’t mind us as we dust off 3.5k dentistry patient records: https://t.co/o5dewUPA8y — thedarkoverlord (@tdohack3r) May 4, 2017 “Don’t mind us as we dust off 3.5k dentistry patient records:” The database, in .csv format, contains 3,496 patient records, where the field headings include a wealth of personal information, some health insurance information, information on the referrer, and some payment information. All of the identity information is in plain text. What may be of especial concern to patients, apart from the risk of fraud, is the disclosure of their health information. Diagnoses included in the database included cardiac diagnoses such as heart murmur, hypertension, kidney diseases, psychiatric conditions such as depression, and various allergies and sensitivities, etc. Aesthetic Dentistry never responded to inquiries sent to them in January and February by this site. And because the incident never appeared on HHS’s public breach tool, DataBreaches.net filed a Freedom of Information request in February with HHS as to whether this incident had ever been reported to HHS. DataBreaches.net has still not received a response to that simple FOI request. OC Gastrocare OC Gastrocare in California is another entity that TDO hacked last year and that they had also attempted to extort. As with Aesthetic Dentistry, TDO did not publicly reveal how large the extortion demand was, and used a statement on Pastebin to try to increase pressure on them to pay. Today, after first tweeting a link to the Aesthetic Dentistry data dump, TDO tweeted: Let’s add a zero to the last figure. Another clinic (OC Gastro) who has also mistreated us and their patients: https://t.co/3OojH3PrVs — thedarkoverlord (@tdohack3r) May 4, 2017 “Let’s add a zero to the last figure. Another clinic (OC Gastro) who has also mistreated us and their patients:” Note that TDO’s concept of “mistreated us” often translates into: (1) the entity refused to pay their extortion demands, and/or (2) the entity ignored their demands altogether, which TDO has indignantly suggested is “unprofessional” on the victims’ parts. To this day, TDO’s public statements often reveal that they try to present themselves as “professionals” (e.g., signing their demands as “professional adversary” or providing legal-sounding “contracts” with extortion terms). TDO has occasionally commented to this site that they believe clinics are not doing right by their patients by refusing to pay “modest” extortion demands that could protect the patients’ privacy. In other cases, they had informed this site in encrypted chats that they had found what they believed was evidence of entities covering up other wrongdoing. So how did OC Gastrocare allegedly “mistreat” their patients? By not paying an extortion demand? It’s uncertain, as TDO has yet to explain it. The OC Gastrocare data contains approximately 34,100 patient records. As with Aesthetic Dentistry’s records, information such as date of birth and Social Security number are in plain text. Tampa Bay Surgery Center The third database TDO dropped today actually came as a surprise to this site, as I don’t recall ever seeing any mention of it before: Into the hundred thousand range we go. However, this clinic didn’t do anything wrong except annoy us. https://t.co/gAlt5rhOXd — thedarkoverlord (@tdohack3r) May 4, 2017 “Into the hundred […]
As it has done in past months, Protenus has compiled a monthly report on health data breaches in the U.S. that were disclosed during October. Their analyses are based on data and information provided by this site and blogger. Of special note: in the past two months, we have now learned of two incidents affecting at least five covered entities where there was irretrievable patient data loss as a result of a ransomware attack. For at least four of the reporting entities, the data loss occurred at the business associate during recovery from the attack. Note that incidents included in the monthly Breach Barometer do not always match HHS’s public breach tool for the month, because some incidents are added to the breach tool in the month or months following first public disclosure of an incident, and some incidents never appear on HHS’s breach tool because they are either under-500 or are never reported to HHS for various reasons. The October report was based on incidents involving the following entities: Aesthetic Dentistry Anne M. Cummings, M.D., F.A.C.P. Anthem, Inc. Apria Healthcare Baxter Healthcare Baxter Regional Medical Center – Home Health Facility Baystate Health Bedford County Board of Education CalOptima Curtis F. Robinson, MD Dr. Dennis T. Myers, D.D.S., P.A. Florida Hospital Francisco Jaume, D.O. (Yavapai Orthopaedics) Fred’s Pharmacy Gibson Insurance Agency, Inc. Group Health Health Access Network Horizon The Health Center Integrity Transitional Hospital Lee Memorial Hospital Mercy Hospital & Medical Center MGA Home Healthcare Colorado, Inc. Peabody Retirement Community Peachtree Orthopedic Clinic Rainbow Children’s Clinic Richard E. Paulus Richard H. Hutchings Psychiatric Center Rite Aid Singh and Arora Oncology Hematology, P.C. The Finley Center for Acupuncture and Naturopathic Medicine The Seattle Indian Health Board Thomasville Eye Center University of Wisconsin Hospitals and Clinics Authority Vermont Health Connect You and Your Health Family Care, Inc. Many of the incidents, but not all, were reported on this site and can be found by using the “search” function. You can find Protenus’s Breach Barometer for October here. And after you’ve read the report, also read HIStalk’s interview of Robert Lord, CEO of Protenus, as he really articulates the challenges beautifully, e.g.: Healthcare is fundamentally facing a crisis in trust in our systems. We’re increasing the amount of data we collect. We’re increasing the analytics that we’re performing. We’re increasing interoperability. We need all these things to deliver the promise of better care, better patient satisfaction, and decreased cost. In no way do we want to stand in the way of all of this great data-sharing. Simultaneously, if we can’t build that trust in the system, if we can’t establish a new paradigm for how we’re going to protect all this data and make sure people are accessing data appropriately, then we’re going to lose all of these benefits in the long run.