Georgia Supreme Court resuscitates patient lawsuit against Athens Orthopedic Clinic
The Georgia Supreme Court has breathed new life into a lawsuit by patients of Athens Orthopedic Clinic (AOC) whose data were stolen by thedarkoverlord in 2016. In a decision issued this week, the judges unanimously reversed the Court of Appeals’ dismissal of the lawsuit, vacated other parts of their ruling, and remanded the case. At issue before the court was how Georgia law would apply the cognizable injury required for standing in a negligence suit under state law. The lower court had granted the clinic’s motion to dismiss based on the majority agreeing that any harm alleged by the plaintiffs was future harm and speculative. The state supreme court agreed with the plaintiffs, however, finding hat they had alleged enough harm to survive a motion to dismiss. The Athens Orthopedic Clinic case was one of thedarkoverlord’s earliest known hacks and extortion attempts in June, 2016. This site’s coverage of the case and its aftermath can be found linked from here. When the clinic wouldn’t pay the extortion demand, the hackers allegedly falsely claimed to have sold some of the data that they had listed on a dark web marketplace. But eventually, the hackers also began publicly releasing actual segments of the patient database on Pastebin. The pastes were downloaded by unnamed others, increasing the risk that patient data was falling into criminals’ hands or was being acquired by those who could and would misuse it. At least one named plaintiff, Christine Collins, alleged that she suffered actual fraudulent activity on her credit card shortly following the attack. To add to the patients’ concerns, AOC announced that it did not have any insurance that would cover it for offering affected patients credit monitoring and/or identity theft restoration services. While the litigation continues to work its way through the courts, one member of thedarkoverlord is preparing to stand trial for his role in the attack on the clinic and four other attacks. Although not identified by name, AOC appears to be Victim 5 in Nathan Wyatt’s indictment. It also appears that AOC was the victim who received the “rap-style” phone threats, allegedly made by Wyatt. AOC reported the incident to HHS in the summer of 2016, but there is still no closing summary on any investigation by OCR, which may mean that they still have an open investigation or case. DataBreaches.net notes that OCR already closed its investigation into other TDO hacks during that same time period, including two of the Missouri victims involved in the Wyatt case: Prosthetic & Orthotics Care and Midwest Orthopedic Pain and Spine. The fact that the AOC case is not closed could mean that the Atlanta region of OCR is just more backlogged than Missouri, or it may be a sign that AOC is not out of the woods with OCR yet. One of the questions OCR may have for AOC may relate to claims by the hackers that even after AOC knew that they had been hacked, they still didn’t change their login credentials to all their systems, even after weeks and two emails from the hackers letting them know that they still had access. Not only might OCR have some questions as to whether that happened, but if it did happen, it might support the plaintiffs’ negligence claims.
Member of thedarkoverlord sentenced to 60 months and $1.4 million in restitution
The first — and so far, only — person to have been arrested and charged as a member of “thedarkoverlord” pleaded guilty today in federal court in Missouri. Nathan Francis Wyatt, 39, of Wellingborough, Northamptonshire in the U.K. was sentenced by Judge Judge Ronnie L. White to 60 months in prison and almost $1.5 million in restitution. Wyatt, who used screen names including “Crafty Cockney” and “Mas,” had been indicted by a grand jury in November, 2017, and charged for his role in thedarkoverlord attacks against five victim entities in Missouri and Atlanta. The indictment had contained 6 counts: 1 count of conspiracy, 2 counts of aggravated identity theft, and 3 counts of threatening to damage a protected computer. Wyatt was extradited to the U.S. in December, 2019, and had been in custody since then in the St. Charles jail. Most of the government’s evidence against Wyatt came from Wyatt himself — he opened a PayPal account, registered a phone account, a Gmail account, a Twitter account, and a virtual private network that were all used as part of the scheme to hack and extort victims — and he created them all using information that led straight back to him. The government was represented by Gwendolyn Eleanor Carroll of the U.S. Attorney’s Office in St. Louis and Laura Kathleen Bernstein of the U.S. Department of Justice Criminal Division. Some of the evidence against Wyatt has been documented in extensive previous coverage of him by this site, but some of the evidence had been under seal, including some very threatening messages TDO sent to victims in this case. While the public was already aware that thedarkoverlord often researched their victims and would refer to their family members in ways that suggested future harassment or harm, the government’s filing contained examples not previously revealed. From the presentencing filing: …. one ransom demand, which is redacted here, threatened, “[w]e imagine that the same, careful, delicate care you give your patients, you also give your beautiful wife. What was her name? S******? S.M.V. (***-**-****)? Let’s hope that she stays beautiful and that nothing unfortunate happens to her. Who knows? It’s bound to happen with you leaving her alone all the time over there on [address] (Parcel ID **-**-**-**-***-****.**). We heard that it is for sale and maybe we will check it out sometime.” Gov’t Sealed Exhibit A. The letter went on to list details about the owner’s children, and even included threats to the owner’s parents: “[y]our elderly parents do not need this sort of stress in their golden years. What were their names again?,” and then listed the full names and social security numbers of the victim’s parents. PSR ¶ 23; Gov’t Sealed Exhibit A. In another example cited by the government, the daughter of one of the victims was on the receiving end of frightening communications that used a telephone account registered by Wyatt: hi [K] you look peaceful….by the way did your daddy tell you he refused to pay us when we stole his company files..in 4 days we will be releasing for sale thousands of patient info. including yours… 19 in febuary?…weve all had a look and we all think your hot. soon some really evil men will be looking at you..possibly thru your window. your father is also looking at multiple felonies..so say good bye to the house.. all bcs daddy wouldnt pay a much smaller sum to make all this go away. Daddys fucked you [K]….And incest is a crime… sweetdreams Gov’t Sealed Exhibit C. Note that the government did not claim that Wyatt wrote or transmitted all of the threats. But he was charged with being part of the conspiracy that did engage in those behaviors and a phone used in the conspiracy was registered in his name. Wyatt pleaded guilty to the one count of conspiracy in exchange for the government dropping the other five counts of aggravated identity theft and fraud activity connected to computers. He was represented by Brocca L. Morrison and Rachel Marissa Korenblat of the federal public defender’s office. Throughout most of the hearing, which was held by Zoom conference because of the pandemic, Wyatt confined himself to quietly answering, “Yes, Your Honor,” or “No, Your Honor” when the judge would ask him questions. After accepting Wyatt’s guilty plea, both the defense and prosecution made statements about sentencing recommendations, having previously agreed on the guidelines’ application to the case. Wyatt’s counsel noted that they couldn’t really contact much family because he had no family in the U.S., but his long-time partner had written a letter to the court describing Wyatt’s character as a loving father and devoted partner. The defense also noted how Wyatt had medical issues, and had only recently been diagnosed with Asperger’s Disorder. Prior to proper diagnosis, medication, and counseling, he had admittedly made bad decisions in a serious case. As his lawyer noted, Wyatt was caught because he registered accounts in his own name. He was not a sophisticated criminal, while thedarkoverlord was a sophisticated criminal operation. According to his lawyer, Wyatt was not the person who orchestrated TDO. He had great remorse and shame for what he had done, but especially for what he had done to his family who he had “left in the lurch.” When given an opportunity to speak, Wyatt struggled to compose himself. He admitted that he had mental problems that had led to bad decisions, but now that he was medicated, he was beginning to recognize when he was experiencing mania. But more than anything, he just wanted to go home to his family and never see another computer ever again. Judge White imposed a sentence of 60 months. The judge did not seem swayed by defense counsel’s argument that most defendants get measures like half-way houses or incentive programs that reduce their total time in jail, and that Wyatt would wind up serving at least 85% of his sentence. Wyatt was also sentenced to $1,467,048.07 in restitution: Athens Orthopedic: $877,585.00 Midwest […]
Irony: When blackhats are our only source of disclosure for some healthcare hacks (Update1)
“We’ll not be caught, ever.” — TheDarkOverlord, June 21, 2017 At this rate, the criminals known as TheDarkOverlord may be right. But if they escape accountability for their criminal acts, what about those who were responsible for securing our protected health information? Have they also escaped accountability and will they continue to escape accountability? Since June 2016, DataBreaches.net has reported on hacks of healthcare entities by TheDarkOverlord (“TDO”). At times, fellow journalists and I have expressed concerns about TDO gaming the media, i.e., using our reporting to put pressure on their victims to pay extortion demands. And there was also the issue that in the early days, TDO was flat-out lying to journalists about some things, lies that some of us may have unknowingly repeated. Over time, some journalists pretty much stopped reporting on TDO. This site didn’t stop, because patients need to be alerted that their data have been hacked, and the healthcare sector needs to be reminded that these threats exist and are ongoing – and that they need to take proactive measures to defend against such attacks. To the extent such coverage may inadvertently help TDO boost their brand as attackers, well, that’s unfortunate, but I still think the public needs to be informed about what’s going on in the healthcare sector when it comes to protecting our information. And while many fellow journalists do not report on the ongoing healthcare sector breaches, DataBreaches.net notes that for the most part, the media has not been asking enough questions, or the right questions. First, let’s review what we know about claimed TDO hacks in the healthcare sector. I’m linking to previous coverage of them, where there’s been coverage: Athens Orthopedic Clinic Peachtree Orthopedics OC Gastrocare An unnamed clinic in New York and an unnamed clinic in Oklahoma ?? Aesthetic Dentistry (New York) Prosthetic & Orthotic Care Midwest Orthopedic Pain & Spine Little Red Door Cancer Services of East Indiana Tampa Bay Surgery Center La Quinta Center for Cosmetic Dentistry Feinstein & Roe Dougherty Laser Vision Coliseum Pediatric Dentistry (aka Hampton Road Dentistry) A few notes on the above: The data from the unnamed clinic in New York were never proven to have come from a clinic, as the data were PII. The unnamed clinic in Oklahoma was also questionable as it appeared to be old data and there wasn’t much of a sample provided for verification purposes. It is not clear, therefore, whether these should be counted as incidents. Of four incidents recently revealed by TDO on Twitter (before their @tdohack3r account was suspended), there were data dumps for two of them. There were no data dumps for Dougherty Laser Vision or for Coliseum Pediatric Dentistry, although TDO provided this site with sample patient records for each claim for verification purposes. Of special note: there is no evidence that the most recently disclosed hacks were actually recent hacks. Some of these hacks appear to have occurred last year, although it’s not clear when the entities may have first discovered they had been hacked. Keeping the above in mind, and that most of the hacks ultimately resulted in data dumps or data put up for sale on the dark web, why hasn’t the media been asking: How many of the twelve confirmed breaches were reported to HHS? How many of the twelve confirmed breaches were reported to state regulators? How many of the twelve confirmed breaches resulted in notifications to the affected patients? Let’s take those questions one at a time. First, only four of the 12 confirmed breaches appear to have been reported to HHS: Athens Orthopedic Clinic Peachtree Orthopedics Prosthetic & Orthotic Care Midwest Orthopedic Pain & Spine Now that may be because not all entities are HIPAA-covered entities. And you may be thinking that some of the newer breaches are still within the 60-day window, but TDO informs this site that their victims (whom they prefer to call “clients”) have known for months about the breaches. So why haven’t 8 of the 12 breaches been reported to HHS? DataBreaches.net has filed under Freedom of Information to ask whether HHS received reports on these incidents but has received no response from HHS as yet. In answer to the second question: none of these breaches seem to show up on publicly available state regulator web sites that list breach reports. Because some of these entities are in California, and because California requires breach notification for medical, you might think that we’d see some of these on California’s breach list, but no. So DataBreaches.net has filed public records access requests with both the California Attorney General’s Office and with the California Department of Public Health for any breach reports for these incidents. We have received no response as yet (SEE UPDATE, BELOW). As to the third question about notification to patients, DataBreaches.net could only find confirmation of patient notification for the incidents reported to HHS and for the Little Red Door Cancer Services of East Indiana. Other entities did not respond to this site’s inquiries as to whether they had notified their patients, and this site could find no substitute notices or public notices, although it’s possible the notices were in local media not indexed by Google. Of note, however, DataBreaches.net did contact patients of some of these entities, who claimed that they either did not receive, or did not recall receiving, any notification from at least two of the entities: Aesthetic Dentistry in New York City and Coliseum Pediatric Dentistry in Virginia. Neither entity had responded to inquiries from this site as to whether they had notified patients. So here’s my request to the public: If you were affected by one of the TDO incidents listed below, did you receive a notification letter from the doctor’s office or group about it? You can use the comments section to answer, but if you have a notification letter you can send me, let me know. OC Gastrocare Aesthetic Dentistry (New York) Tampa Bay Surgery Center La Quinta Center for […]
TheDarkOverlord dumps 180,000 patients’ records from 3 hacks
While thousands of their followers on Twitter seem to be eagerly waiting for TheDarkOverlord (TDO) to dump more tv films or episodes of popular series, TDO went non-fiction this morning, dumping patient/medical records from some of their hacks in the healthcare sector last year. All told, almost 180,000 patients had their personal information shared with the world. Two of the incidents were previously known to this site, and had already been included in monthly analyses provided by this site to Protenus for their Breach Barometer reports. But for the benefit of those readers or journalists who seem to be first discovering TDO, here’s a list of some medical entities that TDO attacked last year (links are to mentions of the incidents on this site): Athens Orthopedic Clinic Peachtree Orthopedics OC Gastrocare An unnamed clinic in New York Aesthetic Dentistry Prosthetic & Orthotic Care Midwest Orthopedic Pain & Spine Little Red Door Cancer Services of East Indiana An unnamed clinic in Oklahoma DataBreaches.net strongly suspects that there are other medical clinics that were also attacked but never disclosed publicly. In addition to medical clinics/providers and insurers, TDO’s victims have also included software and third-party vendors like PilotFish Technology, Quest Records Management, and the still-unnamed third-party vendor of a health insurer where 9.3 million records were listed for sale on TheRealDeal. And then there were that attacks in other sectors, like the attacks on WestPark Capital, Gorilla Glue , Pre-Con Products, G.S. Polymers, DRI Title, and other entities. For those who are new to TDO’s playbook, be aware that if they dump databases, it’s usually because the entities would not pay their extortion demands and there is no market for the data or no longer any market for the data. Dumping the database is often part of their strategy to send a warning to future victims that they should pay up or suffer the same fate of having their customer/patient/proprietary information dumped or sold. Using the media to promote their reputation as dangerous hackers who follow through on their threats is also part of their playbook, which may explain why they have dropped three databases today. Whatever their reasons, here’s what we know so far about today’s three newly dumped databases: Aesthetic Dentistry Aesthetic Dentistry in New York City was hacked by TDO last year. It was clear from what TDO tweeted last year that Aesthetic Dentistry was not about to pay TDO any extortion. Showing a healthy dose of New York attitude, the intended victim had allegedly responded to TDO’s attempts to extort them with this reply: Attempting to increase pressure on them, TheDarkOverlord issued a press release on Pastebin and dumped some of their patients’ data. The October 14th statement is still publicly available, although the paste with the selection of patient data was removed by Pastebin. Despite the public pressure of revealing named patients’ medical diagnoses and other details, it would appear that Aesthetic Dentistry still did not pay the undisclosed amount TDO sought. Today – seven months after their initial disclosure – TDO tweeted: Don’t mind us as we dust off 3.5k dentistry patient records: https://t.co/o5dewUPA8y — thedarkoverlord (@tdohack3r) May 4, 2017 “Don’t mind us as we dust off 3.5k dentistry patient records:” The database, in .csv format, contains 3,496 patient records, where the field headings include a wealth of personal information, some health insurance information, information on the referrer, and some payment information. All of the identity information is in plain text. What may be of especial concern to patients, apart from the risk of fraud, is the disclosure of their health information. Diagnoses included in the database included cardiac diagnoses such as heart murmur, hypertension, kidney diseases, psychiatric conditions such as depression, and various allergies and sensitivities, etc. Aesthetic Dentistry never responded to inquiries sent to them in January and February by this site. And because the incident never appeared on HHS’s public breach tool, DataBreaches.net filed a Freedom of Information request in February with HHS as to whether this incident had ever been reported to HHS. DataBreaches.net has still not received a response to that simple FOI request. OC Gastrocare OC Gastrocare in California is another entity that TDO hacked last year and that they had also attempted to extort. As with Aesthetic Dentistry, TDO did not publicly reveal how large the extortion demand was, and used a statement on Pastebin to try to increase pressure on them to pay. Today, after first tweeting a link to the Aesthetic Dentistry data dump, TDO tweeted: Let’s add a zero to the last figure. Another clinic (OC Gastro) who has also mistreated us and their patients: https://t.co/3OojH3PrVs — thedarkoverlord (@tdohack3r) May 4, 2017 “Let’s add a zero to the last figure. Another clinic (OC Gastro) who has also mistreated us and their patients:” Note that TDO’s concept of “mistreated us” often translates into: (1) the entity refused to pay their extortion demands, and/or (2) the entity ignored their demands altogether, which TDO has indignantly suggested is “unprofessional” on the victims’ parts. To this day, TDO’s public statements often reveal that they try to present themselves as “professionals” (e.g., signing their demands as “professional adversary” or providing legal-sounding “contracts” with extortion terms). TDO has occasionally commented to this site that they believe clinics are not doing right by their patients by refusing to pay “modest” extortion demands that could protect the patients’ privacy. In other cases, they had informed this site in encrypted chats that they had found what they believed was evidence of entities covering up other wrongdoing. So how did OC Gastrocare allegedly “mistreat” their patients? By not paying an extortion demand? It’s uncertain, as TDO has yet to explain it. The OC Gastrocare data contains approximately 34,100 patient records. As with Aesthetic Dentistry’s records, information such as date of birth and Social Security number are in plain text. Tampa Bay Surgery Center The third database TDO dropped today actually came as a surprise to this site, as I don’t recall ever seeing any mention of it before: Into the hundred thousand range we go. However, this clinic didn’t do anything wrong except annoy us. https://t.co/gAlt5rhOXd — thedarkoverlord (@tdohack3r) May 4, 2017 “Into the hundred […]
Patient info from Missouri clinic hacked by TheDarkOverlord remains online and available. Why?
In a post yesterday, I reported that protected health information and identity information of patients of Athens Orthopedic Clinic that had been leaked online by hackers remained available to anyone who knows where to look for it. Although it’s frustrating and understandably worrying to patients, I give AOC credit that they tried to find the leaks and plug them. I think patients of another victim of TheDarkOverlord have more cause to be upset with their provider, who neither responded to two notifications from this site that their patients’ information was leaking online nor got the records removed from public view. On June 29, this site contacted Midwest Orthopedic Pain & Spine* in Farmington, Missouri, to alert them that TheDarkOverlord (TDO) had leaked some of their patients’ data. They never responded nor asked me where the data had been dumped. Again on July 23, this site contacted them through their web site contact form to alert them that the patient data was still exposed on Pastebin and to ensure they had the url. Again, I got an auto-responder but no real response. In that July 23 message through his site, I wrote, in part: I am a journalist who contacted you in the past, but got no response. I wanted to make sure that you are aware that your patients’ PHI was dumped on Pastebin weeks ago at http://pastebin.com/[redacted]. I don’t know why you haven’t sought to have it removed. Is there some reason you haven’t contacted Pastebin? They have procedures for removing such things if the entity requests it via email, and they’re usually pretty fast. Your patients’ data have already been downloaded dozens of times, it would seem, so I’d encourage you to seek removal asap before more damage might be done to them – unless law enforcement has advised you otherwise, of course. The Pastebin url is redacted for now in the above message because, despite my messages to them of June 29th and July 23, that June 29th paste – with 499 patients’ information – is still available to anyone who knows where to look for it. It has now been viewed 96 times. Another copy of the same data is also still available on Pastebin and has been viewed 192 times. The patients whose data were exposed in those duplicate pastes are those whose last names begin with the letter “A” and “B.” The types of data in the records may include name, Social Security number, date of birth, address, landline and cellphone number, and other details. On July 23, after sending the message to Midwest, I discovered another paste, dated that day, that contained an additional 1,006 patients’ records in the same format. Here are the headings of the data fields: Record #,Pat.Act.#,Active,Last Name,First Name,MI,Suf.,Address Line 1, Address Line 2,City,State,Zip,SSN,DOB,Sex,Mar.,Stu.,Email,Home Phone, Work Phone,Cell Phone And here is a screenshot – redacted by this site – showing that data were available to anyone who knows where to look for it. DataBreaches.net has today requested removal of the three pastes with patient data from Midwest Orthopedic Pain & Spine, but Midwest’s lack of response and inaction should be investigated by HHS and perhaps the Federal Trade Commission. If readers are aware of other patient data leaks that are still online, please let me know. Not all pastes can be removed (some sites have no removal policy), but Pastebin does have a removal policy and it should be possible to get patient data removed from that site if it’s been uploaded there. — * The medical group reportedly includes Midwest Imaging Center, LLC; Van Ness Orthopedic and Sports Medicine, Inc.; Mineral Area Pain Center, P.C.; Select Pain & Spine; Dr. Christopher T. Sloan, D.P.M.
Quest Records LLC breach linked to TheDarkOverlord hacks; more entities investigate if they’ve been hacked
At the end of June, DeepDotWeb broke the story that hackers calling themselves TheDarkOverlord (TDO) had put three databases with patient information up for sale on the dark net. Although the owners of the databases were not listed, DataBreaches.net was able to identify two of the three entities as the Athens Orthopedic Clinic (AOC) in Atlanta and Midwest Orthopedic Pain and Spine (MOPS) in Farmington, Missouri. Both entities reportedly received ransom demands from TDO to pay up if they wanted their patient data destroyed and not sold, but as of August 6, no ransom had been paid, according to TDO. Whether any has been paid since then is unknown, but doubtful. The third database, from an entity originally described as being in the midwest but later identified more specifically as being in Oklahoma City, was never identified by DataBreaches.net nor named by TDO. TDO later claimed that they wouldn’t be naming them because the entity had paid the ransom and their for-sale listing was removed from TheRealDeal Market. But paying any ransom does not negate any obligations under HIPAA and HITECH to notify patients and HHS of a breach, and DataBreaches.net notes that there is currently no entry on HHS’s public breach tool that would correspond to any incident in Oklahoma affecting approximately 210,000 patients. Either the Oklahoma City entity did not report the incident to HHS, they reported but HHS has yet to post the report, or TDO fabricated claims about an OKC database paying ransom to boost its reputation. Given that TDO lied to some news outlets (including this one) in other claims, any of the three explanations seem possible at this point. The day after they created headlines over those three databases for sale, TDO also listed for sale what they described as an insurer’s database with 9.3 million records. After attempting to contact people whose data were included in an expanded sample of data provided to this site by TDO, DataBreaches.net suspected that the database was linked to United Healthcare, but UHC denied it was their data. As I noted in my report, their denial statement did not really rule out that it was one of their vendors. In a recent encrypted chat with a TDO spokesperson, the spokesperson claimed that the data had come from a vendor who was a lead generator for UHC but that UHC was “responsible.” TDO did not clarify what they meant by that and did not name that vendor. To the best of DataBreaches.net’s information, no ransom was paid in that situation, either. In July, TDO started leaking some of the AOC and MOPS patients’ information on Pastebin, while yet three more entities had their patient databases listed for sale on TheRealDeal. DataBreaches.net was able to identify two of three, and as I had done with AOC, notified those two promptly to alert them that their patient data appeared to have been compromised: Prosthetic & Orthotic Care, Inc. (P&O Care), who would also have patient data and images leaked on Pastebin and Twitter, an entity in New York that DataBreaches.net was unable to identify, and PilotFish Technology (PFT). The source code for the latter was subsequently listed for sale on AlphaBay (see InfoArmor’s detailed analysis of the code and the risks it poses). In an encrypted chat, TDO confirmed to DataBreaches.net that they had attempted to extort PFT. As far as DataBreaches.net knows, neither P&O nor the unnamed NY entity paid any ransom. So far, then, the only publicly mentioned entity/victim that may have paid any ransom is an unnamed OKC entity. TDO’s business model of attempting to extort entities in the healthcare sector via putting their databases up for sale, naming them if they resisted paying ransom, and then leaking patient data and alerting the media to such developments to increase the pressure on the victims, does not appear to have had any clear commercial success. Given that they were demanding fairly high ransoms, one can only wonder if their model might have worked if they had demanded smaller ransom amounts, although RexMundi also encountered refusal to pay ransom in their European-based attacks. But even if the extortion business model appeared to be something of a commercial flop as publicly executed, the fact remains that a number of entities in the healthcare sector had their patient or client information hacked and acquired – and put up for sale. And in addition to the databases that have been, and remain, listed for sale, other victim entities were alluded to by TDO publicly and in encrypted chats with DataBreaches.net. Other Entities Investigating Although a TDO spokesperson told DataBreaches.net and other news outlets that they had a 0day that they used to gain access to some of their targets, some victims’ disclosures have made reference to compromise of an unnamed vendor’s credentials as being responsible for their breach. Last week, DataBreaches.net became aware that at least two previously unnamed entities are investigating whether that vendor’s breach resulted in compromise of their patient information. One of those entities is Peachtree Orthopedic Clinic (POC) in Atlanta. In a telephone conversation last Wednesday, an IT employee confirmed to DataBreaches.net that they have been investigating for weeks, trying to assess what may have happened and that the FBI has been assisting them. The employee also confirmed that they were a client of the vendor that DataBreaches.net has been able to identify and names later in this report. Several pieces of information had led me to suspect that POC might have become a victim of TDO, but I’ll only mention two of them here for now. One piece was that POC’s web site has a section on Team Affiliations that lists the Atlanta Braves and other teams. As I had reported on June 29, TDO had informed me in a private chat that they intended to release a database that day that I had described in my report as relating to a “major Atlanta sports team.” That team had actually been named by TDO to me as the Atlanta Braves. But TDO had also informed me that it was not the Atlanta Braves organization that had been hacked but another entity – a clinic – that was involved with the Atlanta Braves and other sports teams, a description that matches POC’s web site. Second, POC is an orthopedic clinic, and TDO had hit other orthopedic clinics, including Athens Orthopedic Clinic, which, like Peachtree, is also in the Atlanta area. Several hours after my phone conversation with the POC […]
Three TheDarkOverlord incidents appear on HHS’s public breach tool
Quick note to point out that three of TheDarkOverlord’s victims have reported their breaches to HHS, although the numbers they report do not always match what had been claimed by TDO and previously reported in the media: Midwest Orthopedic Pain and Spine reported that 29,153 patients (not 48,000) were affected; Athens Orthopedic Clinic reported that 201,000 patients (not 397,000) were affected; and Prosthetic & Orthotic Care, Inc. reported that 23,015 patients were affected which is very close to what TDO had claimed). Oddly, perhaps, Athens Orthopedic Clinic reported the incident as “Unauthorized Access/Disclosure” as opposed to Hacking/IT Incident, which I think is the more appropriate classification for what happened and what the other two victims reported.
MO: A second TheDarkOverlord target confirms hack (updated)
In the past 24 hours, two of TheDarkOverlord’s targets have publicly acknowledged breaches previously reported by this site. Yesterday, it was the Athens Orthopedic Clinic in Georgia who issued a public statement (previous coverage). Today, it’s a group of clinics in Farmington, Missouri (previous coverage). Daily Journal Online reports: The medical group which includes Midwest Imaging Center, LLC; Van Ness Orthopedic and Sports Medicine, Inc.; Mineral Area Pain Center, P.C.; Select Pain & Spine Dr. Christopher T. Sloan, D.P.M. sent letters to patients earlier this week stating a data breach was discovered. “We write to inform you that our practice discovered a data breach on May 27, 2016 that may have contained personal health information and have been investigating the exact nature and scope of the information obtained by the hackers since,” the letter reads. “To date, our investigation has determined that on May 4, 2016, a hacker, or hackers, likely gained access into our secured database system through a third party contractor and may have obtained some personal information of our patients including: names, addresses, social security numbers, date of births, diagnoses, lab results, other medical records, and potentially some financial information.” Read more on DailyJournalOnline. Of note, both entities made mention that the attacker likely got access by an unnamed third party contractor. Also of note, neither entity mentioned the ransom demands or that patient data was being dumped in public and was still up for sale on the dark net. I’m not sure how well patients can really protect themselves if they don’t know the full scope of a situation. Hopefully, the letters sent to patients provide additional information. The two entities have not responded totally similarly, however. This site contacted both entities several times over the past month, in some cases to alert them that their patients’ information had been dumped on Pastebin, and that they could get it removed by following Pastebin’s procedures. Athens Orthopedic Clinic responded promptly to the notification (they were already aware of it, it appears), and got the paste(s) removed. Dr. Van Ness did not respond to repeated alerts, however, and his patients’ information remains exposed on Pastebin. I will not link to the exposed data, but I have autoresponses from Midwest Orthopedic Center dated June 29th to my first notification. On July 23, weeks later, I sent them another message through their site: I wanted to make sure that you are aware that your patients’ PHI was dumped on Pastebin weeks ago at [redacted]. I don’t know why you haven’t sought to have it removed. Is there some reason you haven’t contacted Pastebin? They have procedures for removing such things if the entity requests it via email, and they’re usually pretty fast. Your patients’ data have already been downloaded dozens of times, it would seem, so I’d encourage you to seek removal asap before more damage might be done to them – unless law enforcement has advised you otherwise, of course. Other than autoresponses, I received no response, and as of today, the data are still exposed. I don’t know what the FTC or OCR would say about this, but as part of incident response, shouldn’t entities be looking for such data dumps and trying to get them removed? And if you don’t know about it, and someone takes the time to alert you not once, but twice, shouldn’t you do something? Seriously: even if for some reason, they never read the messages submitted through their own site’s contact form, once they knew they were hacked, shouldn’t their incident response have included searching their name for reports or stories on the internet? Had they done so, they would have found some of my previous coverage and the paste situation mentioned. So they had at least three ways to find out and do something about it, but have done nothing? I would love to hear their explanation for this part of their breach response. If I were one of their patients whose personal information has been sitting exposed since June 29, I’d be ticked off at them for that, because yes, name, date of birth, Social Security number, and other personal information have all been dumped. Update Aug. 3: When this was reported to HHS, it was reported as affecting 29,153 patients, considerably less than what TheRealDeal Market listing indicated of 48,000 patients. It is not clear whether the 29,153 figure is for all of the associated facilities or just the Midwest Orthopedic & Spine entity.
Healthcare Sector Under Attack? Yes.
From a new report by InfoArmor: InfoArmor has identified a group of bad actors performing targeted cyberattacks on healthcare institutions and their IT infrastructure, including connected medical devices such as Magnetic Resonance Imaging systems (MRI), X-ray machines and mobile computing healthcare workstations. This group of bad actors has performed at least four successful attacks against US-based organizations of varying size, compromising a significant number of medical records. The threat actors claim to have stolen millions of medical records and gained unauthorized access for ransomware distribution. The four incidents InfoArmor refers to have all previously been reported on this site, but there are actually more than four that we already know about: A database from Farmington, Missouri with 48,000 patients’ records. DataBreaches.net subsequently identified that one as Midwest Orthopedic Pain & Spine clinic owned by Dr. Scott Van Ness. TheDarkOverlord subsequently confirmed that in a paste where they dumped 499 records, and in tweets. A database from Oklahoma City with 210,000 patients’ records. That one has yet to be publicly named, and although DataBreaches.net has a strong suspicion who it is, will not name them without more indicators. A database from Atlanta, Georgia with 397,000 records. DataBreaches.net identified that one as being from Athens Orthopedic Group, and although they never officially confirmed it to me, @tdohack3r did later name them in a tweet that was subsequently deleted. A database from Bronx, NY with 34,000 records. This one has not been identified and I’ve seen no further follow-up on it. A database from Fairview, Illinois with 23,565 patients’ records. DataBreaches.net identified this one as being from P&O Care in Fairview. Although they have not responded to several inquiries, field codes in the sample data in combination with pictures in an earlier tweet from @tdohack34 enabled identification. A database with 9.3 million records that were described as being from a large health insurer. DataBreaches.net believes that this was not necessarily a direct attack on an insurer, but may have involved a vendor or business associate. Much of the information appeared to be old, e.g., an email address listed for one member was their email address no later than 2012, and many other email addresses indicated email services that are no longer popular. Although the insurer DataBreaches.net believes is linked to this mess sent this site a carefully worded denial, they have not answered the question as to whether they were denying that this was a breach at one of their vendors. Here is their spokesperson’s most recent statement to me: I checked with our team and there is no evidence to suggest our data or systems were compromised as it relates to this matter. Protecting our members’ and customers’ information is a top priority for us–we remain vigilant and continue to closely monitor the security and integrity of our environment. Their statement does not really rule out a vendor or third party, especially when someone in the sample data, who was contacted by DataBreaches.net, identified this insurer as always having been their insurer. None of the above attacks involved ransomware. From what the hackers told DeepDotWeb and the Daily Dot, there appear to have been ransom demands, but the demands were so that patient data would not be sold on the black market. As far as this site has been able to determine, the initial attacks did not lock up systems or interfere with operations of the targeted facilities. To date, none of the above incidents have shown up on HHS’s public breach tool, and none of the above entities have issued public statements acknowledging any breach. I would assume that the entities all plan to notify HHS, even if they pay ransom, as their patients’ records fell into criminal hands, and even if the criminals promised to delete the data they acquired, there is no assurance or proof that they would. Yesterday, the same hackers added a new offering: The description: Listed here is the source code, signing keys, and licensing database stolen from a large HL7 software developer located in the United States. This HL7 software has been distributed and used by hundreds of clients around the world. This software allows an organization to link hundreds of healthcare devices and databases together to help mitigate the cost of purchasing newer software products and expanding the life span of healthcare systems through the use of its integrated development environment that can be used to generate new assembly line style automation of processes and data transfer. In addition to the source code for the HL7 Interface Engine software, the private keys for signing the code will also be included as well as the licensing database that entails a full record of all clients and their deployment and status information. There are many legitimate and nefarious uses for this exclusive package offer. You are only limited by your imagination. If you are a software developer located in the another part of the world, this bundled package would be perfect for your company and give you an edge over your regional competition. The price tag? Over $500,000 at yesterday’s BTC conversion rates. DataBreaches.net notified this entity of the breach last week after becoming aware of it and seeing evidence of it, but after an initial contact and telephone conversation, they did not respond to a follow-up email alerting them that the breach appeared to be much more extensive than they believed. Maybe they’ll believe it this week, as I would assume that they, too, are being hit with a ransom demand. DataBreaches.net is withholding publication of their name to give them a bit of time to investigate and to make the disclosure themselves. So is the healthcare sector under attack by this group? Yes. And the healthcare sector appears to be sitting ducks. Both the TheDarkOverlord, in an interview with yours truly, and InfoArmor note concerns about EHR software. If a hacker is telling you that stealing patient data is child’s play because of your software, perhaps you might take that to heart? And if the hacker is telling you that he’s finding login credentials in plain text and then using them, is there something usable in that statement, […]
TheDarkOverlord names the Farmington victim and releases data
One of the other up-for-sale health databases that DataBreaches.net reported on on Sunday was a facility in Farmington, Missouri. It was described as a “Healthcare Database (48,000 Patients) from Farmington, Missouri, United States.” Yesterday, after investigating the sample and other information, DataBreaches.net reached out to the Midwest Orthopedic Pain & Spine clinic owned by Dr. Scott Van Ness, asking them to confirm that they were the breached entity. I received no response. But now TheDarkOverlord has confirmed that they they are the breached entity. In a public paste, they write, “Scott A. Vanness owns the clinics that service these 499 patients. Midwest clinic groups in Farmington, MO.” So it’s that group of clinics, as DataBreaches.net had suspected. DataBreaches.net is not linking to the exposed patient data, but has sent another inquiry to the clinic, notifying them of the leaked data and asking for a statement.