First, a quick update on the Athens Orthopedic Clinic breach: It took two requests, but I’m pleased to report that Pastebin removed three pastes with over 1,350 patients’ information. Those pastes were separate from an earlier paste with an additional 500 patients’ information. News outlets that continue to report that 500 patients’ information was exposed and put up for sale are, to be blunt, reporting inaccurately. Every AOC patient’s’ data was up for sale on the dark web, and the hackers claimed to have sold some of it (a claim that this site has no way of confirming or disputing). In addition, almost 2,000 AOC patients had their information on an easily accessed public site (Pastebin) where anyone could view it and copy it. For those unfamiliar with these things, Pastebin is on the web, not the dark web. Following publication of my article that their patient data was still exposed on Pastebin, AOC did not contact this site to ask where the data could be found so that they could take steps to get it removed. Nor did they contact this site to say thank-you for this site’s efforts to get THEIR patients’ information out of public view. Just so you know. But today, in going through my notes, I realized that there’s still another paste up on Pastebin from another victim of TheDarkOverlord. This paste has data that appears to be from 499 patients of Prosthetic & Orthotic Care. On July 9, I had reported on the P&O breach. In my report, I noted that I had made several attempts to notify them and speak to them, but they had not responded constructively. I even noted: As of yesterday, some of their patients’ data had been dumped on a public paste site, and then there were those pictures… P&O Care never got back to me. And like Athens Orthopedic Clinic, P&O Care never even asked me for the urls of any paste I had discovered. Maybe if they had contacted me or asked, they could have had the paste removed. Instead, it has been online since July 9 and has been viewed 181 times. There are 499 records in that paste with names, addresses, telephone numbers, insurance information, treatment codes, Social Security numbers (embedded in Medicare numbers), and more. The extent of information varies across patients, but it’s enough to cause problems. DataBreaches.net has today submitted a request to Pastebin seeking removal of this paste, but seriously, getting these pastes removed is the responsibility of the breached clinics – not this site. Update Aug. 28: The data are still publicly available. Update Aug. 30: The data are still publicly available and I’ve sent a second request to Pastebin to remove it. I had also notified the clinic the other day, but once again, they did not respond. The paste has now been viewed 186 times. Update Aug. 31: And finally, it’s gone.
Another one of TheDarkOverlord’s targets has issued a statement about the hack and theft of their patient information. DataBreaches.net had identified this entity and first reported on the hack on July 9. Somewhat disturbingly, and as we have seen in other cases with the same parameters, Prosthetic & Orthotic Care (P&O Care) does not appear to be telling patients that their PII and PHI were actually dumped on Pastebin, and that the full database with all their information in plain text is up for sale on the dark web. I am still awaiting a response from HHS as to whether such information should be included to comply with the intention of HITECH that patients be given information relevant to their assessment of the risks they face. ST. LOUIS, MISSOURI AND ILLINOIS, USA, July 29, 2016 — Prosthetic & Orthotic Care, Inc. is taking swift action to address a data breach by a malicious hacker that has resulted in the disclosure of its patient information. The office learned of the possibility of an incident on July 10, and the FBI began investigating the matter. Exploiting a previously-unknown flaw in software purchased by P&O Care, the thieves obtained patient medical records that include names, contact information, P&O Care patient ID numbers, diagnostic codes, appointment dates and last billing amounts. Some records also contain Social Security numbers, birth dates, medical insurance company, and identification information and photos of procedures. “P&O Care deeply regrets that this incident occurred and understands the importance of personal information security,” Jim Weber, P&O Care’s Chief Executive Officer, said. “We are working diligently to notify our patients of this risk, and in light of this attack, we are also working with a nationally recognized security firm to further enhance our security and guard our patients’ information.” The steps underway to respond to this breach and further improve the security of P&O Care’s patient records include: • Providing notice of the theft to those identified as potentially being at risk • Advising patients on specific steps they can take to protect against identity theft; for example, patients are advised against providing or verifying any unsolicited requests to confirm any sensitive personal information • Providing patients with a year of credit monitoring through AllClearID, a leading provider of identity theft protection services, at no expense to patients • Operating a toll free number dedicated to providing information to those affected by the attack • Retaining a nationally recognized security firm to advise on measures to enhance security • Adding additional measures to thwart future attacks • Monitoring the system to detect any signs of an ongoing attack Additionally, action individuals should take to protect themselves from potential harm resulting from the breach include: • Immediately file a report with local police if you believe your identify has been stolen • Place an Initial Fraud Alert on your accounts, which can be done by contacting any one of the three credit reporting agencies; once you place an initial fraud alert with one of the three credit agencies, it will share that information with the other two • Review the FTC’s publication, “Taking Charge: What To Do If Your Identity Is Stolen,” which contains additional valuable information, including step-by-step checklists to report and repair identity theft – find the publication at https://www.consumer.ftc.gov/articles/pdf-0009-taking-charge.pdf Those affected will be receiving a notification letter with a toll free number they may call with further questions. In the meantime, potentially affected persons seeking additional information may email [email protected] About Prosthetic and Orthotic Care, Inc. P&O Care is a team of health care professionals whose mission is to improve the quality of life of our patients by consistently providing patient-focused, value-driven solutions through the innovative design, fabrication and fitting of the highest quality custom prosthetic and orthotic devices. As an independently owned and operated prosthetic and orthotic company, the decisions that we make about the services we provide, the products we recommend, and your care management are truly patient-centered. Dan Nelson Armstrong Teasdale LLP (314) 621-5070
“We’ll not be caught, ever.” — TheDarkOverlord, June 21, 2017 At this rate, the criminals known as TheDarkOverlord may be right. But if they escape accountability for their criminal acts, what about those who were responsible for securing our protected health information? Have they also escaped accountability and will they continue to escape accountability? Since June 2016, DataBreaches.net has reported on hacks of healthcare entities by TheDarkOverlord (“TDO”). At times, fellow journalists and I have expressed concerns about TDO gaming the media, i.e., using our reporting to put pressure on their victims to pay extortion demands. And there was also the issue that in the early days, TDO was flat-out lying to journalists about some things, lies that some of us may have unknowingly repeated. Over time, some journalists pretty much stopped reporting on TDO. This site didn’t stop, because patients need to be alerted that their data have been hacked, and the healthcare sector needs to be reminded that these threats exist and are ongoing – and that they need to take proactive measures to defend against such attacks. To the extent such coverage may inadvertently help TDO boost their brand as attackers, well, that’s unfortunate, but I still think the public needs to be informed about what’s going on in the healthcare sector when it comes to protecting our information. And while many fellow journalists do not report on the ongoing healthcare sector breaches, DataBreaches.net notes that for the most part, the media has not been asking enough questions, or the right questions. First, let’s review what we know about claimed TDO hacks in the healthcare sector. I’m linking to previous coverage of them, where there’s been coverage: Athens Orthopedic Clinic Peachtree Orthopedics OC Gastrocare An unnamed clinic in New York and an unnamed clinic in Oklahoma ?? Aesthetic Dentistry (New York) Prosthetic & Orthotic Care Midwest Orthopedic Pain & Spine Little Red Door Cancer Services of East Indiana Tampa Bay Surgery Center La Quinta Center for Cosmetic Dentistry Feinstein & Roe Dougherty Laser Vision Coliseum Pediatric Dentistry (aka Hampton Road Dentistry) A few notes on the above: The data from the unnamed clinic in New York were never proven to have come from a clinic, as the data were PII. The unnamed clinic in Oklahoma was also questionable as it appeared to be old data and there wasn’t much of a sample provided for verification purposes. It is not clear, therefore, whether these should be counted as incidents. Of four incidents recently revealed by TDO on Twitter (before their @tdohack3r account was suspended), there were data dumps for two of them. There were no data dumps for Dougherty Laser Vision or for Coliseum Pediatric Dentistry, although TDO provided this site with sample patient records for each claim for verification purposes. Of special note: there is no evidence that the most recently disclosed hacks were actually recent hacks. Some of these hacks appear to have occurred last year, although it’s not clear when the entities may have first discovered they had been hacked. Keeping the above in mind, and that most of the hacks ultimately resulted in data dumps or data put up for sale on the dark web, why hasn’t the media been asking: How many of the twelve confirmed breaches were reported to HHS? How many of the twelve confirmed breaches were reported to state regulators? How many of the twelve confirmed breaches resulted in notifications to the affected patients? Let’s take those questions one at a time. First, only four of the 12 confirmed breaches appear to have been reported to HHS: Athens Orthopedic Clinic Peachtree Orthopedics Prosthetic & Orthotic Care Midwest Orthopedic Pain & Spine Now that may be because not all entities are HIPAA-covered entities. And you may be thinking that some of the newer breaches are still within the 60-day window, but TDO informs this site that their victims (whom they prefer to call “clients”) have known for months about the breaches. So why haven’t 8 of the 12 breaches been reported to HHS? DataBreaches.net has filed under Freedom of Information to ask whether HHS received reports on these incidents but has received no response from HHS as yet. In answer to the second question: none of these breaches seem to show up on publicly available state regulator web sites that list breach reports. Because some of these entities are in California, and because California requires breach notification for medical, you might think that we’d see some of these on California’s breach list, but no. So DataBreaches.net has filed public records access requests with both the California Attorney General’s Office and with the California Department of Public Health for any breach reports for these incidents. We have received no response as yet (SEE UPDATE, BELOW). As to the third question about notification to patients, DataBreaches.net could only find confirmation of patient notification for the incidents reported to HHS and for the Little Red Door Cancer Services of East Indiana. Other entities did not respond to this site’s inquiries as to whether they had notified their patients, and this site could find no substitute notices or public notices, although it’s possible the notices were in local media not indexed by Google. Of note, however, DataBreaches.net did contact patients of some of these entities, who claimed that they either did not receive, or did not recall receiving, any notification from at least two of the entities: Aesthetic Dentistry in New York City and Coliseum Pediatric Dentistry in Virginia. Neither entity had responded to inquiries from this site as to whether they had notified patients. So here’s my request to the public: If you were affected by one of the TDO incidents listed below, did you receive a notification letter from the doctor’s office or group about it? You can use the comments section to answer, but if you have a notification letter you can send me, let me know. OC Gastrocare Aesthetic Dentistry (New York) Tampa Bay Surgery Center La Quinta Center for […]
A U.K. man extradited to the U.S. in December to stand trial for his role in thedarkoverlord (TDO) has agreed to plea guilty to resolve all charges against him. Nathan Francis Wyatt, also known as “Crafty Cockney,” has agreed to plead guilty to charges stemming from his role in some of thedarkoverlord’s attacks on entities in Missouri and Georgia in 2016. The attacks on medical entities shocked the public because the attackers named and shamed their victims and started dumping patient data if the victims did not pay their extortion demands, which were often in the range of hundreds of thousands of dollars. TDO’s tactics also included calling the victim entities or their family members on the phone or sending them aggressive or crude messages. From the description in court filings, the federal charges against Wyatt stemmed from his alleged roles in attacks against Athens Orthopedic Clinic in Atlanta, Midwest Pain & Spine in Missouri, Prosthetic & Orthotic Care in Missouri, Quest Health Information Management Solutions, and one entity not related to healthcare. None of the victims were named in court filings and the preceding attributions are based on this site’s knowledge of TDO’s attacks and the court’s description of the victims. On May 20, Wyatt’s trial, which had been scheduled to begin June 15, had been delayed to September 21 due to the pandemic. The court noted that holding the trial in June would endanger the public and make it difficult to assemble a fair cross-section of citizens to serve on the jury. Yesterday, however, both his counsel and the government filed a joint motion with the court requesting a consolidated plea and sentencing hearing. Wyatt is represented by a federal public defender, Brocca Morrison. The government is represented by Senior Counsel Laura Kate-Bernstein, Jeffrey B. Jensen, United States Attorney for the Eastern District of Missouri, and Gwendolyn E. Carroll of the Eastern District of Missouri. As detailed in previous coverage on this site, Wyatt had been charged with: One count of conspiracy against the U.S. (18 USC 371 ) Two counts of aggravated identity theft (18 USC 1028); and Three counts of threatening damage to a protected computer (18 USC 1030) He was not charged with actual hacking. The agreed-upon but not yet disclosed guilty plea comes as no surprise because the amount of evidence the prosecution had amassed was somewhat staggering. That said, this site and blogger have disputed any claim that Wyatt was ever the leader of thedarkoverlord in 2016 or 2017, but it was clear from my interviews and chats with him that he had been involved in assisting or conspiring with one other person in a number of ways. The plea and sentencing hearing will not take place for at least 90 days. Wyatt is the first person to have been publicly identified as arrested and charged for participation in TDO crimes. He had claimed in the past to know the real identity of the young person that he referred to as “Dark” but that claim may have been part of a scam that he was trying to run. Wyatt reportedly later told someone else that he didn’t know the other’s real identity.
The Georgia Supreme Court has breathed new life into a lawsuit by patients of Athens Orthopedic Clinic (AOC) whose data were stolen by thedarkoverlord in 2016. In a decision issued this week, the judges unanimously reversed the Court of Appeals’ dismissal of the lawsuit, vacated other parts of their ruling, and remanded the case. At issue before the court was how Georgia law would apply the cognizable injury required for standing in a negligence suit under state law. The lower court had granted the clinic’s motion to dismiss based on the majority agreeing that any harm alleged by the plaintiffs was future harm and speculative. The state supreme court agreed with the plaintiffs, however, finding hat they had alleged enough harm to survive a motion to dismiss. The Athens Orthopedic Clinic case was one of thedarkoverlord’s earliest known hacks and extortion attempts in June, 2016. This site’s coverage of the case and its aftermath can be found linked from here. When the clinic wouldn’t pay the extortion demand, the hackers allegedly falsely claimed to have sold some of the data that they had listed on a dark web marketplace. But eventually, the hackers also began publicly releasing actual segments of the patient database on Pastebin. The pastes were downloaded by unnamed others, increasing the risk that patient data was falling into criminals’ hands or was being acquired by those who could and would misuse it. At least one named plaintiff, Christine Collins, alleged that she suffered actual fraudulent activity on her credit card shortly following the attack. To add to the patients’ concerns, AOC announced that it did not have any insurance that would cover it for offering affected patients credit monitoring and/or identity theft restoration services. While the litigation continues to work its way through the courts, one member of thedarkoverlord is preparing to stand trial for his role in the attack on the clinic and four other attacks. Although not identified by name, AOC appears to be Victim 5 in Nathan Wyatt’s indictment. It also appears that AOC was the victim who received the “rap-style” phone threats, allegedly made by Wyatt. AOC reported the incident to HHS in the summer of 2016, but there is still no closing summary on any investigation by OCR, which may mean that they still have an open investigation or case. DataBreaches.net notes that OCR already closed its investigation into other TDO hacks during that same time period, including two of the Missouri victims involved in the Wyatt case: Prosthetic & Orthotics Care and Midwest Orthopedic Pain and Spine. The fact that the AOC case is not closed could mean that the Atlanta region of OCR is just more backlogged than Missouri, or it may be a sign that AOC is not out of the woods with OCR yet. One of the questions OCR may have for AOC may relate to claims by the hackers that even after AOC knew that they had been hacked, they still didn’t change their login credentials to all their systems, even after weeks and two emails from the hackers letting them know that they still had access. Not only might OCR have some questions as to whether that happened, but if it did happen, it might support the plaintiffs’ negligence claims.