Athens Orthopedic Clinic Pays $1.5 Million to Settle HHS Charges of Systemic Noncompliance with HIPAA Rules
From HHS, a settlement notice involving one of thedarkoverlord’s victims. Athens Orthopedic Clinic is still facing a lawsuit from patients that made it all the way up to the Georgia Supreme Court on the issue of whether they had demonstrated enough harm to survive a motion to dismiss. Note: This blogger is the journalist referenced in HHS’s notice below and this site covered the Athens Orthopedic attack and incident response extensively in 2016 and thereafter (coverage linked from here). Athens Orthopedic Clinic PA (“Athens Orthopedic”) has agreed to pay $1,500,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. Athens Orthopedic is located in Georgia and provides orthopedic services to approximately 138,000 patients annually. On June 26, 2016, a journalist notified Athens Orthopedic that a database of their patient records may have been posted online for sale. On June 28, 2016, a hacker contacted Athens Orthopedic and demanded money in return for a complete copy of the database it stole. Athens Orthopedic subsequently determined that the hacker used a vendor’s credentials on June 14, 2016, to access their electronic medical record system and exfiltrate patient health data. The hacker continued to access protected health information (PHI) for over a month until July 16, 2016. On July 29, 2016, Athens Orthopedic filed a breach report informing OCR that 208,557 individuals were affected by this breach, and that the PHI disclosed included patients’ names, dates of birth, social security numbers, medical procedures, test results, and health insurance information. OCR’s investigation discovered longstanding, systemic noncompliance with the HIPAA Privacy and Security Rules by Athens Orthopedic including failures to conduct a risk analysis, implement risk management and audit controls, maintain HIPAA policies and procedures, secure business associate agreements with multiple business associates, and provide HIPAA Privacy Rule training to workforce members. “Hacking is the number one source of large health care data breaches. Health care providers that fail to follow the HIPAA Security Rule make their patients’ health data a tempting target for hackers,” said OCR Director Roger Severino. In addition to the monetary settlement, Athens Orthopedic has agreed to a robust corrective action plan that includes two years of monitoring. The resolution agreement and corrective action plan may be found at https://www.hhs.gov/sites/default/files/athens-orthopedic-ra-cap.pdf – PDF*. * People using assistive technology may not be able to fully access information in this file. For assistance, contact the HHS Office for Civil Rights at (800) 368-1019, TDD toll-free: (800) 537-7697, or by emailing [email protected] Of special note, and as I previously reported in covering this incident, it seemed that thedarkoverlord accessed AOC using credentials hacked from Quest Records. In the Corrective Action Plan, HHS noted that AOC had no business associate agreement in place with Quest, among others. In a statement to DataBreaches.net, Quest had claimed that they had notified their clients after discovering they had been hacked, but they did not answer my question as to when they notified AOC and whether it was before June 14 when the stolen credentials were used or not. Later today, one of the members or associates of thedarkoverlord is scheduled to plead guilty for his role in five TDO attacks, one of which appeared to be Athens Orthopedic.
Georgia Supreme Court resuscitates patient lawsuit against Athens Orthopedic Clinic
The Georgia Supreme Court has breathed new life into a lawsuit by patients of Athens Orthopedic Clinic (AOC) whose data were stolen by thedarkoverlord in 2016. In a decision issued this week, the judges unanimously reversed the Court of Appeals’ dismissal of the lawsuit, vacated other parts of their ruling, and remanded the case. At issue before the court was how Georgia law would apply the cognizable injury required for standing in a negligence suit under state law. The lower court had granted the clinic’s motion to dismiss based on the majority agreeing that any harm alleged by the plaintiffs was future harm and speculative. The state supreme court agreed with the plaintiffs, however, finding hat they had alleged enough harm to survive a motion to dismiss. The Athens Orthopedic Clinic case was one of thedarkoverlord’s earliest known hacks and extortion attempts in June, 2016. This site’s coverage of the case and its aftermath can be found linked from here. When the clinic wouldn’t pay the extortion demand, the hackers allegedly falsely claimed to have sold some of the data that they had listed on a dark web marketplace. But eventually, the hackers also began publicly releasing actual segments of the patient database on Pastebin. The pastes were downloaded by unnamed others, increasing the risk that patient data was falling into criminals’ hands or was being acquired by those who could and would misuse it. At least one named plaintiff, Christine Collins, alleged that she suffered actual fraudulent activity on her credit card shortly following the attack. To add to the patients’ concerns, AOC announced that it did not have any insurance that would cover it for offering affected patients credit monitoring and/or identity theft restoration services. While the litigation continues to work its way through the courts, one member of thedarkoverlord is preparing to stand trial for his role in the attack on the clinic and four other attacks. Although not identified by name, AOC appears to be Victim 5 in Nathan Wyatt’s indictment. It also appears that AOC was the victim who received the “rap-style” phone threats, allegedly made by Wyatt. AOC reported the incident to HHS in the summer of 2016, but there is still no closing summary on any investigation by OCR, which may mean that they still have an open investigation or case. DataBreaches.net notes that OCR already closed its investigation into other TDO hacks during that same time period, including two of the Missouri victims involved in the Wyatt case: Prosthetic & Orthotics Care and Midwest Orthopedic Pain and Spine. The fact that the AOC case is not closed could mean that the Atlanta region of OCR is just more backlogged than Missouri, or it may be a sign that AOC is not out of the woods with OCR yet. One of the questions OCR may have for AOC may relate to claims by the hackers that even after AOC knew that they had been hacked, they still didn’t change their login credentials to all their systems, even after weeks and two emails from the hackers letting them know that they still had access. Not only might OCR have some questions as to whether that happened, but if it did happen, it might support the plaintiffs’ negligence claims.
Are thedarkoverlord’s victims entitled to damages from Athens Orthopedic Clinic? Georgia Supreme Court to rule.
Bill Rankin reports: In the spring of 2016, a cyber thief calling himself the “Dark Overlord” hacked into the databases of a Clarke County medical clinic and emerged with the personal information of an estimated 200,000 patients. The Athens Orthopedic Clinic refused to pay the hacker’s ransom and advised current and former patients to set up anti-fraud protections. Now a lawsuit filed by three of those patients — demanding that the clinic pay damages — could set a precedent in Georgia, where reports of data breaches have been soaring. Read more on AJC. The plaintiffs in the case are Christine Collins, Paulette Moreland, and Kathryn Strickland. The case number for the docket is S19G0007.
Athens Orthopedic Clinic patient data still exposed on leak site
DataBreaches.net discovered today that two copies of a paste (data dump) with over 860 AOC patients’ information is still available online if you know where to look for it. I’m providing a redacted screenshot below so patients can get a sense of what these pastes/leaks look like, although I’ve blacked out most of the street addresses, the patients’ last names, their date of birth, Social Security number, and other information that was in these records. The first leak by the hackers was removed after AOC reported it to Pastebin; that leak had 500 patients’ information in the same format as the one below. Keep in mind that there were over 860 entries like the few you’re seeing below and there was more than one copy of this paste on Pastebin. According to Pastebin, there have been 52 views of this paste as of today. Here are the data fields labels that were in this database, although not all fields had data in them: “/Today”,”/TodayLong”,”/PrimaryHealthInsCo”,”/PrimaryHealthInsType”,”/SecondaryHealthInsCo”,”/ SecondaryHealthInsType”,”/Address1″,”/Address2″,”/Age”,”/AnAge”,”/AgeSingular”,”/DOB”,”/CellPhone”,”/ City”,”/Email”,”/Fax”,”FName”,”FNameCaps”,”LName”,”/MI”,”LNameCaps”,”/NamePrefix”,”/NameSuffix”,”/ Note”,”/personid”,”/Phone”,”/PhoneExtension”,”/WorkPhone”,”/WorkPhoneExtension”,”/Race”,”/ Sex”,”man/woman”,”male/female”,”male/femaleFirstCap”,”he/she”,”he/sheFirstCap”,”him/her”,”his/her”, “his/herFirstCap”,”boy/girl”,”son/daughter”,”grandson/granddaughter”,”/SharedID”,”/SSNO”,”/State”,”/JobTitle”,”/ Zip”,”/UDF1″,”/UDF2″,”/UDF3″,”/UDF4″,”/UDF5″,”/UDF6″,”/UDF7″,”/UDF8″,”/UDF9″,”/UDF10″,”/PriDrPersonID”,”/ PriUDF1″,”/PriUDF2″,”/PriUDF3″,”/PriUDF4″,”/PriUDF5″,”/PriUDF6″,”/PriUDF7″,”/PriUDF8″,”/PriUDF9″,”/ PriUDF10″,”/PriDrAlias”,”/PriDrFirst”,”/PriDrLast”,”/PriDrNamePrefix”,”/PriDrNameSuffix”,”/PriNote”,”/ PriDrAddr1″,”/PriDrAddr2″,”/PriDrPhoneExtension”,”/PriDrEmail”,”/PriDrCellPhone”,”/PriDrFax”,”/PriDrPhone”,”/ PriDrZip”,”/PriDrState”,”/PriDrCity”,”/PriNPI”,”/RefPersonID”,”/RefDrAddr1″,”/RefDrAddr2″,”/RefDrCity”,”/ RefDrFirst”,”/RefDrLast”,”/RefDrNamePrefix”,”/RefDrNameSuffix”,”/RefNote”,”/RefDrPhone”,”/RefDrPhoneExtension”,”/ RefDrEmail”,”/RefDrCellPhone”,”/RefDrFax”,”/RefDrState”,”/RefDrZip”,”/RefUDF1″,”/RefUDF2″,”/RefUDF3″,”/ RefUDF4″,”/RefUDF5″,”/RefUDF6″,”/RefUDF7″,”/RefUDF8″,”/RefUDF9″,”/RefUDF10″,”/RefNPI”,”/PRIMINSPOLICYID”,”/ PRIMINSGROUPID”,”/SECONDARYINSPOLICYID”,”/SECONDARYINSGROUPID” DataBreaches.net has reported the two pastes to Pastebin to ask them to remove them promptly, and will check back tomorrow to see if they have been removed. Update 1 of Aug. 18: On July 25, this site reported that AOC had begun notifying patients (two) days after this site had notified it that a paste with 500 patients’ information had appeared on Pastebin with a note from the hackers. At the time, AOC gave this site a statement that said, in part: At the same time as all this was going on, we found out about the Pastebin dumps just before your email (yet remain grateful to your letting us know, as well) and have been trying since early Saturday to get the first removed and then the second one since yesterday. Last night, I discovered that in addition to the two pastes dated August 3rd that I reported yesterday as still being online, there was yet another paste – this one dated July 26 (after AOC’s statement) also still available online. This paste was identified by the hackers as a second copy of another paste. It also contains 500 patients’ details. Note that these pastes would be very hard for AOC to find as they would not show up in a routine search. But how many entities did the hackers share the links to these pastes with? Each paste was viewed at least dozens of times. DataBreaches.net has now requested that Pastebin remove this newly found paste, but that paste may put the number of unique patients’ leaked records at about 2,000 or more. I hope AOC has copies of all these pastes so that they know exactly which patients had their details leaked on Pastebin in addition to being put up for sale on TheRealDeal market. Update of Aug 22: the pastes are still online, and I have emailed Pastebin again to request removal or an explanation of why they haven’t removed these pastes.
Athens Orthopedic Clinic incident response leaves patients in the dark and out of pocket for protection
On June 26, after learning that databases with patients’ protected health information had been put up for sale on the dark web, DataBreaches.net began investigating and trying to alert the victim entities so that they could take immediate steps to try to mitigate harm to patients. By that evening, I had sent an email to Athens Orthopedic Clinic (AOC) in Georgia, to say that it appeared that they had been hacked. I followed up the next day via e-mail and a phone call to make sure they received my notification. On June 29, they issued a statement confirming that they were investigating a potential breach that they had first been made aware of in the previous 48 hours. But their incident response after that point raises questions about any risk assessment and plan for breach response that they may have had in place, and how decisions they made may have negatively impacted the very patients to whom they were and are responsible. Did AOC’s Response to Ransom Demands Lead to Retribution by Hackers? Dealing with a ransom demand, as was the case here, is never an easy situation or decision. Paying a ransom does not guarantee that the extorters will not come back at a later time and demand more money. Nor does it guarantee that the criminals will not take the ransom and then sell the patient data on the dark web anyway. There is really no clear guidance for healthcare entities as to how to respond to this type of situation, as HHS’s recent guidance on how to respond to a ransomware demand doesn’t really apply when you know that the attacker actually has all of your patients’ information and is threatening to misuse it, leak it, or sell it. But ticking off the criminals by telling them that you’ll pay and then not paying, or stringing them along – even if it is at someone’s suggestion – may have backfired for AOC’s patients. Had AOC simply refused to pay the ransom from the outset or had they paid it, TheDarkOverlord (TDO) hackers likely would not have as responded as punitively as they did. According to emails DataBreaches.net has read, at various points, AOC indicated that it was willing to pay some ransom but needed to work out a payment system. Later, they indicated they were willing to do a wire transfer. At other points, they didn’t respond by deadlines TDO had given them, infuriating the hackers. Read in sequence, the emails might appear to be stringing TDO along, stalling them, or jerking them around. And according to statements made to DataBreaches.net by TDO in encrypted chats, some of the public leaks of AOC’s patient information were in direct response to AOC failing to follow through on what it had told the hackers it would do. The TL;DR version is that TDO informed this site that they were determined to make an example of AOC to show the world that you don’t screw around with TDO. And they even warned AOC. As just one example, a snippet from one of their emails to AOC: If you continue to play these fucking games with us, a sort of hostage kill off is going to occur and leave thousands of patients records publicly listed and abused with your name signed to all of it as the source. So would patient data have been publicly leaked or would as much data have been leaked if AOC had made a decision, informed the attackers of that decision, and stuck to it? AOC’s ever-changing responses and missed deadlines appears to have resulted in more patients having their details leaked on Pastebin. Are Patients’ Data Still At Risk? Although AOC may have become a victim due to a vendor’s failure to secure their credentials, and while AOC trauma surgeon Chip Ogburn wrote a passionate and obviously heartfelt letter to patients assuring them that AOC is committed to rectifying the data breach, there are also other questions raised by AOC’s incident response. That AOC didn’t know that they had been hacked and only learned of the hack weeks later when they were alerted to it by this site is not surprising to anyone familiar with breaches. But it still begs the question as to what software or technical safeguards AOC had in place to detect intrusions and the exfiltration of hundreds of thousands of patients’ records that included image files. Both HHS and the FTC may have questions about that. See also: Quest Records LLC Breach linked to TheDarkOverlord hacks; more entities investigate if they’ve been hacked And once AOC confirmed that there had been an intrusion and patient data had been acquired, why didn’t they immediately change all passwords – even after the hackers contacted them and lectured them on their failure to change passwords? AOC’s statement on their web site says, in part (emphasis added by me): If you were a patient of any Athens Orthopedic Clinic location or the patient of a doctor or provider who worked with any of our locations on or before June 14, 2016, we regret to tell you that that our electronic medical records system has been compromised and that your personal information is vulnerable. but DataBreaches.net has seen correspondence indicating that information of patients seen after June 14 was still accessible to the hackers. These emails indicate that TDO informed AOC in mid-July that they still had access to AOC’s internal network. They even mentioned specific systems that were still vulnerable. Here are some snippets from TDO emails to AOC during June and July: …. We are still in your system right now in fact. You have done little to mitigate against an advanced attacker. Pulling the internet plug won’t help when you have embedded devices that run over a cellular network. …. Now up to this point, you should have already changed all the passwords and usernames for all your systems, but they were not changed for all your systems. They should have been amended immediately from the time we sent the first email. We understand it may take a day or two…. However, within a few hours of the second email they should have definitely been changed seeing as how we specifically listed some systems by name. For record, they were not changed even at this time. It is now over two weeks later, and the passwords are […]
Extortion demand on Athens Orthopedic Clinic escalates as patient data is dumped
On June 26, DataBreaches.net reported that several databases with patient information had allegedly been hacked and put up for sale on the dark net by hackers calling themselves TheDarkOverlord (TDO). This site subsequently identified one of the entities as the Athens Orthopedic Clinic in Georgia, and contacted them to alert them that it appeared that they had been hacked. On July 25, AOC publicly acknowledged that they had been hacked and patient data stolen. Their notification came just days after 500 patients’ information was leaked on Pastebin with a note to the CEO to “pay the f**k up.” The warning was in reference to a ransom demand of 500 BTC that had been made by TDO on June 27th. At the time, that sum converted to about $335,000. By the hackers’ calculations, AOC could protect the patient data from disclosure for about $1 per patient, which is considerably less than it would cost AOC to offer its patients credit monitoring services. Despite the bargain rate, the warning issued on Pastebin suggests that AOC was not complying with the ransom demand. As I noted in my previous reporting, when AOC did confirm and disclose the breach, they did not publicly acknowledge that they had received any ransom demand. Nor did they disclose that patient data had already been leaked on Pastebin. Today, more of AOC’s patient data was leaked on Pastebin. As is my policy, DataBreaches.net is not linking to the pastes. There may be more pastes than this site currently knows about, but at least 1,500 more AOC patients apparently had their information leaked today. In an encrypted chat with a spokesperson for TDO who declined to provide his individual nick or role in the hack and extortion demands, DataBreaches.net was told that TDO has already been selling the data on the dark net. The sales, they claim, would not show up on TheRealDeal Market (TRD), which they say they mainly use as a listing service. According to the spokesperson, TDO sells data, gives the buyer a chance (time) to misuse it, and then leaks the data publicly so others can also misuse it. If the spokesperson is being truthful (DataBreaches.net has no way to confirm or disconfirm these claims), then every AOC patient whose data has been leaked on Pastebin had their information previously sold to criminals. The spokesperson also stressed that if the patient’s information has not appeared on Pastebin, it has not (yet) been sold. So far, the TDO spokesperson claims, they have sold anywhere between 5,000 – 6,000 patients’ information. DataBreaches.net asked AOC to respond to the hackers’ claims and reiterated a request for an explanation as to why they have not publicly acknowledged any ransom demand, and why they have seemingly not informed patients that their information has been leaked. In response, a spokesperson for AOC sent the following statement: I’m unable to confirm any of what you write about what the hacker has recently told you. AOC continues to work with its team to take all available steps to mitigate the criminal actions of the hacker, to secure its system, and to inform its patients of what has happened. AOC reported the breach to both law enforcement authorities and to HHS and is in the process of fulfilling its notification requirements under HIPAA. As you know, we felt it best to get ahead of the official notification with early notice on AOC’s website, and toll-free line, as well as by providing you a quote early on and releasing information to a few select local media. In terms of your previous question re ransom demands, we have said to those who ask that there have been attempts at extortion for ransom. As you have reported, paying ransom does not guarantee any further criminal activity will not take place. We’ve asked Pastebin to take down all the dumps, as anyone can when they see illegal activity, as soon as we find out about them, and that has taken more than 24-48 hours for several. So if patients know to ask about ransom or whether their data have been publicly leaked, they may find out, but otherwise…? DataBreaches.net continues to believe that HHS should address this issue as an interpretation of HITECH: should patients be informed of such developments so that they have adequate information to assess their risk? In the meantime, TDO claims that they have been selling patient records for an average of $17.82 a record, with a low of $5.72/record to a high of $25 per record. Today, because AOC missed the ransom deadline, TDO raised the ransom demand to 700 BTC. In a statement to DataBreaches.net, they say: We are doing our best to ensure that our demands are either met or that further harm comes to AOC and their current and former patients. We hope that the current and former patients understand that Kayo Elliot has the power to cease all of this abuse and drama by satisfying our demands. We have been more than amicable from the beginning and have escalated as a result of non-compliance. If the past is any predictor of the future, DataBreaches.net expects to see many more pastes of AOC patient data, and possibly all of the database, which, according to TDO’s listing on TRD, has records on almost 397,000 patients. AOC patients should not only consider putting a security freeze on their credit reports, but should also be diligent about checking any explanation of benefits (EOB) statements they get from their health insurer, to see if there is any evidence that their insurance account information has been used for insurance fraud.
Athens Orthopedic Clinic to begin notifying patients of hack (UPDATE2)
On June 26, this site reported that a database with almost 397,000 patient records was up for sale on the dark net. I subsequently tentatively identified the entity as Athens Orthopedic Clinic in Georgia, but they never officially confirmed that it was their data, noting only that they were investigating and had only first found out about the breach – a claim that the TheDarkOverlord disputed. They also acknowledged to this site that they had received an extortion demand. TDO eventually identified AOC as the entity, but AOC has remained publicly silent – until now. Over the weekend, 500 patients ‘records from Athens Orthopedic Clinic appeared on Pastebin, with a note to their CEO to “pay the fuck up.” DataBreaches.net contacted AOC to alert them to the paste and to ask for an update on their investigation and response. The following statement, received this evening, can be attributed to a spokesperson from their PR firm: We’ve been working hard to determine which patients were affected by the breach and how. That information was confirmed late last week. Since then we’ve been working hard to be sure we have correct addresses and to get a HIPAA patient notice properly prepared. That process continues with printing and mailing starting tomorrow. I understand HHS/OCR posting needs to happen after breach notification is in the patients’ hands. At the same time as all this was going on, we found out about the Pastebin dumps just before your email (yet remain grateful to your letting us know, as well) and have been trying since early Saturday to get the first removed and then the second one since yesterday. AOC is working with authorities. As of just a few minutes ago, we have a toll-free number live at 844-382-9364 for patients who may hear about the breach before they get our letter, as well as a statement on the AOC website. The text of their statement on their web site makes no mention of any extortion demand or their response to it, and does not directly name SRS, whose software the hackers had identified as vulnerable (see Update2, below) Athens Orthopedic Clinic recently experienced a data breach due to an external cyber-attack on our electronic medical records using the credentials of a third-party vendor. Personal information of our current and former patients has been breached, including names, addresses, social security numbers, dates of birth and telephone numbers, and in some cases diagnoses and partial medical history. We apologize for the stress and worry this situation may cause our patients and their families. We are committed to keeping patient information safe and assure you we are doing everything possible to retain your trust in our practice. If you are a current or past patient, we advise you to take the following steps: 1. Call the toll-free number of any of the three major credit bureaus (below) to place a fraud alert on your credit report. Equifax: (888)766-0008; www.fraudalerts.equifax.com. General: (800) 685-1111, www.equifax.com, P.O. Box 740241, Atlanta, GA 30374-0241. Experian: (888) 397-3742; https://www.experian.com/fraud/center.html. General: (888)EXPERIAN (397-3742); www.experian.com; 475 Anton Blvd., Costa Mesa, CA 92626. TransUnion: (800) 680-7289 (888-909-8872 for freeze); http://www.transunion.com/personal-credit/credit-disputes/fraud-alerts.page; TransUnion Fraud Victim Assistance Department, P.O. Box 2000, Chester, PA 19022-2000. General: (800) 680-7289; www.transunion.com 2. Order your credit reports. By establishing a fraud alert, you will receive a follow-up letter that will explain how you can receive a free copy of your credit report. When you receive your credit report, examine it closely and look for signs of fraud, such as credit accounts that are not yours, then continue to monitor your credit reports to ensure an imposter has not opened an account with your personal information. To protect against such breaches in the future, Athens Orthopedic Clinic has retained cyber security experts to investigate and make recommendations for additional improvements to our system, and have begun implementing these recommendations. You may contact our toll-free telephone number at 844-382-9364 for additional information. As always, our focus remains on patient care and we appreciate your understanding and patience. UPDATE1: It looks like TheDarkOverlord decided to contact local media and revealed more about their extortion demands. UPDATE2: Although TDO had informed this journalist that SRS software was vulnerable, that should not be construed as indicating that they were the third-party vendor being referred to in AOC’s statement – or in the statement by the Farmington entity, also released today. Note that in emails to AOC released on WGAUradio, the hackers make reference to AOC never changing passwords even after they were notified by the hackers of exactly what some of the compromised systems were. That claim bears further investigation and a statement from AOC as to why they did not change passwords. Were they advised not to, for some reason?
Peachtree Orthopedic Clinic notifies patients of hack (Update3)
Months after it was hacked by TheDarkOverlord, a second Atlanta orthopedic clinic notifies patients. Peachtree Orthopedic Clinic in Atlanta has disclosed that they were hacked. WSBTV has the story. But the hack wasn’t on September 22 as the news cast seems to suggest – that’s just when they confirmed it. This is all quite interesting, because I had reported on August 15 that they were investigating and the FBI was assisting. And as I noted in my report back then, everything I knew and had uncovered pointed to this being the work of TheDarkOverlord, who had actually given me the first clue to the breach at the end of June. So when was Peachtree actually hacked? And did the hack exploit RDP, some patient management software, or was this a case of a patient records management vendor having compromised credentials? There’s a lot more to ask Peachtree Orthopedic. Maybe this time, their external counsel won’t call me to tell me I’ve got wrong information. We’ll see… In the meantime, here is their notice from their web site: Patient care is at the center of our mission and we take seriously the confidentiality of the information we hold. We regret to inform you that on September 22, 2016 we confirmed an unauthorized intrusion into our computer system. We took immediate action and are working closely with forensic experts and the FBI to investigate and address the situation. While our investigation is ongoing, we have found evidence indicating that information such as patient names, home addresses, email addresses, and dates of birth was potentially taken. In some cases the patient’s treatment code, prescription records, or social security number may also have been taken. If you were a patient at Peachtree Orthopaedic Clinic prior to July 2014, you may be affected. In a small number of cases, patients who visited Peachtree Orthopaedic Clinic after July 2014 may also be affected. Our investigation is in its early stages, but we felt it was important to communicate what we know at this time. We regret any anxiety or frustration that this causes you and are committed to supporting you. We are reaching out directly to those affected via mailed letters and are offering one year of free identity protection services, including credit monitoring for affected individuals. In this letter, we will also outline other steps you can take to protect your identity, as well as information on how to access the free identity protection services. If you have any questions, we have established a dedicated call center, which can be reached by calling (844) 801-5973 between 9 a.m. and 9 p.m. ET, Monday-Friday. Thank you for your patience and understanding as we work through our investigation and try to provide you the best information and support that we can. We will share further information as we are able. Sincerely, Mike Butler CEO, Peachtree Orthopaedic Clinic Update 1: Later today, TDO issued a press release with some patient information and a link to a dump of some internal documents. But then, I never doubted they did this one. I assume that they’re trying the same failed strategy of naming entities and dumping some sensitive data to put pressure on the entity to pay an extortion demand, which they acknowledge they made. From their statement today: It all began many months ago when we acquired 543k patient records which contain both PII and PHI – well before the date of breach notice and alleged date of breach. 543,879 records for anyone counting. Oh, the things one could do with so much data! Some of you have been so kind as to suggest what to do with it all (Hello, ICIT!). After letting the records collect dust in a folder somewhere for months, we went to Peachtree Orthopedics – like Athens Orthopedic – and proposed a solution to the dilemma – we have data that they don’t want to us to have. With us both running a business, we hoped for a speedy resolution so we can go our separate ways – it was anything but. I’m not reproducing the rest of their release, but looking at the internal documents, it looks like it was exfiltrated on or about May 18. That makes sense given that TDO first told me on June 29 about a hack of an Atlanta clinic with Atlanta Braves players’ info. But if the data were hacked in May, when did POC first discover the breach? In mid -August, one of their employees told me that they had been investigating with the assistance of the FBI. But how did they first learn of the breach, and when? How is it that they were unable to confirm the breach until September 22? When did TDO first contact them with their extortion demand? Update2: I just took at look at the internal docs TDO dumped. There are some tax return-related data, a bunch of insurance billing codes, some personal information on patients and staff, a copy of the liability insurance policy, a file curiously named or renamed “CV of doctor to ransom.pdf,” and a plain text file with the names of insurance companies, their tax ID number, and the login credentials to every insurance site. The login credentials are pretty pathetic. Here are just a few, because I would hope that they have changed them already since they’ve known about the hack for a while: Aetnahttps://www.aetna.com/provweb Log In: PEACHTREE2001 Password: BILLING2001 Assurantwww.assurantproviders.com Login: poc2001 Password: billing01 AARPhttps://aarpprovideronlinetool.uhc.com Log In: bpoc Password: billing1 UNICARE www.unicare.com Log In: ORTHO2001 Password: 2001billing Update3: This breach was reported to HHS on November 18 as affecting 531,000 patients.
Patient info from Missouri clinic hacked by TheDarkOverlord remains online and available. Why?
In a post yesterday, I reported that protected health information and identity information of patients of Athens Orthopedic Clinic that had been leaked online by hackers remained available to anyone who knows where to look for it. Although it’s frustrating and understandably worrying to patients, I give AOC credit that they tried to find the leaks and plug them. I think patients of another victim of TheDarkOverlord have more cause to be upset with their provider, who neither responded to two notifications from this site that their patients’ information was leaking online nor got the records removed from public view. On June 29, this site contacted Midwest Orthopedic Pain & Spine* in Farmington, Missouri, to alert them that TheDarkOverlord (TDO) had leaked some of their patients’ data. They never responded nor asked me where the data had been dumped. Again on July 23, this site contacted them through their web site contact form to alert them that the patient data was still exposed on Pastebin and to ensure they had the url. Again, I got an auto-responder but no real response. In that July 23 message through his site, I wrote, in part: I am a journalist who contacted you in the past, but got no response. I wanted to make sure that you are aware that your patients’ PHI was dumped on Pastebin weeks ago at http://pastebin.com/[redacted]. I don’t know why you haven’t sought to have it removed. Is there some reason you haven’t contacted Pastebin? They have procedures for removing such things if the entity requests it via email, and they’re usually pretty fast. Your patients’ data have already been downloaded dozens of times, it would seem, so I’d encourage you to seek removal asap before more damage might be done to them – unless law enforcement has advised you otherwise, of course. The Pastebin url is redacted for now in the above message because, despite my messages to them of June 29th and July 23, that June 29th paste – with 499 patients’ information – is still available to anyone who knows where to look for it. It has now been viewed 96 times. Another copy of the same data is also still available on Pastebin and has been viewed 192 times. The patients whose data were exposed in those duplicate pastes are those whose last names begin with the letter “A” and “B.” The types of data in the records may include name, Social Security number, date of birth, address, landline and cellphone number, and other details. On July 23, after sending the message to Midwest, I discovered another paste, dated that day, that contained an additional 1,006 patients’ records in the same format. Here are the headings of the data fields: Record #,Pat.Act.#,Active,Last Name,First Name,MI,Suf.,Address Line 1, Address Line 2,City,State,Zip,SSN,DOB,Sex,Mar.,Stu.,Email,Home Phone, Work Phone,Cell Phone And here is a screenshot – redacted by this site – showing that data were available to anyone who knows where to look for it. DataBreaches.net has today requested removal of the three pastes with patient data from Midwest Orthopedic Pain & Spine, but Midwest’s lack of response and inaction should be investigated by HHS and perhaps the Federal Trade Commission. If readers are aware of other patient data leaks that are still online, please let me know. Not all pastes can be removed (some sites have no removal policy), but Pastebin does have a removal policy and it should be possible to get patient data removed from that site if it’s been uploaded there. — * The medical group reportedly includes Midwest Imaging Center, LLC; Van Ness Orthopedic and Sports Medicine, Inc.; Mineral Area Pain Center, P.C.; Select Pain & Spine; Dr. Christopher T. Sloan, D.P.M.
Athens Orthopedic committed to rectifying data breach issues
One of the surgeons at Athens Orthopedic Clinic in Georgia has written an open letter to patients and the community. I would encourage everyone to read it for perspective.