The Georgia Supreme Court has breathed new life into a lawsuit by patients of Athens Orthopedic Clinic (AOC) whose data were stolen by thedarkoverlord in 2016. In a decision issued this week, the judges unanimously reversed the Court of Appeals’ dismissal of the lawsuit, vacated other parts of their ruling, and remanded the case. At issue before the court was how Georgia law would apply the cognizable injury required for standing in a negligence suit under state law. The lower court had granted the clinic’s motion to dismiss based on the majority agreeing that any harm alleged by the plaintiffs was future harm and speculative. The state supreme court agreed with the plaintiffs, however, finding hat they had alleged enough harm to survive a motion to dismiss. The Athens Orthopedic Clinic case was one of thedarkoverlord’s earliest known hacks and extortion attempts in June, 2016. This site’s coverage of the case and its aftermath can be found linked from here. When the clinic wouldn’t pay the extortion demand, the hackers allegedly falsely claimed to have sold some of the data that they had listed on a dark web marketplace. But eventually, the hackers also began publicly releasing actual segments of the patient database on Pastebin. The pastes were downloaded by unnamed others, increasing the risk that patient data was falling into criminals’ hands or was being acquired by those who could and would misuse it. At least one named plaintiff, Christine Collins, alleged that she suffered actual fraudulent activity on her credit card shortly following the attack. To add to the patients’ concerns, AOC announced that it did not have any insurance that would cover it for offering affected patients credit monitoring and/or identity theft restoration services. While the litigation continues to work its way through the courts, one member of thedarkoverlord is preparing to stand trial for his role in the attack on the clinic and four other attacks. Although not identified by name, AOC appears to be Victim 5 in Nathan Wyatt’s indictment. It also appears that AOC was the victim who received the “rap-style” phone threats, allegedly made by Wyatt. AOC reported the incident to HHS in the summer of 2016, but there is still no closing summary on any investigation by OCR, which may mean that they still have an open investigation or case. DataBreaches.net notes that OCR already closed its investigation into other TDO hacks during that same time period, including two of the Missouri victims involved in the Wyatt case: Prosthetic & Orthotics Care and Midwest Orthopedic Pain and Spine. The fact that the AOC case is not closed could mean that the Atlanta region of OCR is just more backlogged than Missouri, or it may be a sign that AOC is not out of the woods with OCR yet. One of the questions OCR may have for AOC may relate to claims by the hackers that even after AOC knew that they had been hacked, they still didn’t change their login credentials to all their systems, even after weeks and two emails from the hackers letting them know that they still had access. Not only might OCR have some questions as to whether that happened, but if it did happen, it might support the plaintiffs’ negligence claims.
The first — and so far, only — person to have been arrested and charged as a member of “thedarkoverlord” pleaded guilty today in federal court in Missouri. Nathan Francis Wyatt, 39, of Wellingborough, Northamptonshire in the U.K. was sentenced by Judge Judge Ronnie L. White to 60 months in prison and almost $1.5 million in restitution. Wyatt, who used screen names including “Crafty Cockney” and “Mas,” had been indicted by a grand jury in November, 2017, and charged for his role in thedarkoverlord attacks against five victim entities in Missouri and Atlanta. The indictment had contained 6 counts: 1 count of conspiracy, 2 counts of aggravated identity theft, and 3 counts of threatening to damage a protected computer. Wyatt was extradited to the U.S. in December, 2019, and had been in custody since then in the St. Charles jail. Most of the government’s evidence against Wyatt came from Wyatt himself — he opened a PayPal account, registered a phone account, a Gmail account, a Twitter account, and a virtual private network that were all used as part of the scheme to hack and extort victims — and he created them all using information that led straight back to him. The government was represented by Gwendolyn Eleanor Carroll of the U.S. Attorney’s Office in St. Louis and Laura Kathleen Bernstein of the U.S. Department of Justice Criminal Division. Some of the evidence against Wyatt has been documented in extensive previous coverage of him by this site, but some of the evidence had been under seal, including some very threatening messages TDO sent to victims in this case. While the public was already aware that thedarkoverlord often researched their victims and would refer to their family members in ways that suggested future harassment or harm, the government’s filing contained examples not previously revealed. From the presentencing filing: …. one ransom demand, which is redacted here, threatened, “[w]e imagine that the same, careful, delicate care you give your patients, you also give your beautiful wife. What was her name? S******? S.M.V. (***-**-****)? Let’s hope that she stays beautiful and that nothing unfortunate happens to her. Who knows? It’s bound to happen with you leaving her alone all the time over there on [address] (Parcel ID **-**-**-**-***-****.**). We heard that it is for sale and maybe we will check it out sometime.” Gov’t Sealed Exhibit A. The letter went on to list details about the owner’s children, and even included threats to the owner’s parents: “[y]our elderly parents do not need this sort of stress in their golden years. What were their names again?,” and then listed the full names and social security numbers of the victim’s parents. PSR ¶ 23; Gov’t Sealed Exhibit A. In another example cited by the government, the daughter of one of the victims was on the receiving end of frightening communications that used a telephone account registered by Wyatt: hi [K] you look peaceful….by the way did your daddy tell you he refused to pay us when we stole his company files..in 4 days we will be releasing for sale thousands of patient info. including yours… 19 in febuary?…weve all had a look and we all think your hot. soon some really evil men will be looking at you..possibly thru your window. your father is also looking at multiple felonies..so say good bye to the house.. all bcs daddy wouldnt pay a much smaller sum to make all this go away. Daddys fucked you [K]….And incest is a crime… sweetdreams Gov’t Sealed Exhibit C. Note that the government did not claim that Wyatt wrote or transmitted all of the threats. But he was charged with being part of the conspiracy that did engage in those behaviors and a phone used in the conspiracy was registered in his name. Wyatt pleaded guilty to the one count of conspiracy in exchange for the government dropping the other five counts of aggravated identity theft and fraud activity connected to computers. He was represented by Brocca L. Morrison and Rachel Marissa Korenblat of the federal public defender’s office. Throughout most of the hearing, which was held by Zoom conference because of the pandemic, Wyatt confined himself to quietly answering, “Yes, Your Honor,” or “No, Your Honor” when the judge would ask him questions. After accepting Wyatt’s guilty plea, both the defense and prosecution made statements about sentencing recommendations, having previously agreed on the guidelines’ application to the case. Wyatt’s counsel noted that they couldn’t really contact much family because he had no family in the U.S., but his long-time partner had written a letter to the court describing Wyatt’s character as a loving father and devoted partner. The defense also noted how Wyatt had medical issues, and had only recently been diagnosed with Asperger’s Disorder. Prior to proper diagnosis, medication, and counseling, he had admittedly made bad decisions in a serious case. As his lawyer noted, Wyatt was caught because he registered accounts in his own name. He was not a sophisticated criminal, while thedarkoverlord was a sophisticated criminal operation. According to his lawyer, Wyatt was not the person who orchestrated TDO. He had great remorse and shame for what he had done, but especially for what he had done to his family who he had “left in the lurch.” When given an opportunity to speak, Wyatt struggled to compose himself. He admitted that he had mental problems that had led to bad decisions, but now that he was medicated, he was beginning to recognize when he was experiencing mania. But more than anything, he just wanted to go home to his family and never see another computer ever again. Judge White imposed a sentence of 60 months. The judge did not seem swayed by defense counsel’s argument that most defendants get measures like half-way houses or incentive programs that reduce their total time in jail, and that Wyatt would wind up serving at least 85% of his sentence. Wyatt was also sentenced to $1,467,048.07 in restitution: Athens Orthopedic: $877,585.00 Midwest […]
“We’ll not be caught, ever.” — TheDarkOverlord, June 21, 2017 At this rate, the criminals known as TheDarkOverlord may be right. But if they escape accountability for their criminal acts, what about those who were responsible for securing our protected health information? Have they also escaped accountability and will they continue to escape accountability? Since June 2016, DataBreaches.net has reported on hacks of healthcare entities by TheDarkOverlord (“TDO”). At times, fellow journalists and I have expressed concerns about TDO gaming the media, i.e., using our reporting to put pressure on their victims to pay extortion demands. And there was also the issue that in the early days, TDO was flat-out lying to journalists about some things, lies that some of us may have unknowingly repeated. Over time, some journalists pretty much stopped reporting on TDO. This site didn’t stop, because patients need to be alerted that their data have been hacked, and the healthcare sector needs to be reminded that these threats exist and are ongoing – and that they need to take proactive measures to defend against such attacks. To the extent such coverage may inadvertently help TDO boost their brand as attackers, well, that’s unfortunate, but I still think the public needs to be informed about what’s going on in the healthcare sector when it comes to protecting our information. And while many fellow journalists do not report on the ongoing healthcare sector breaches, DataBreaches.net notes that for the most part, the media has not been asking enough questions, or the right questions. First, let’s review what we know about claimed TDO hacks in the healthcare sector. I’m linking to previous coverage of them, where there’s been coverage: Athens Orthopedic Clinic Peachtree Orthopedics OC Gastrocare An unnamed clinic in New York and an unnamed clinic in Oklahoma ?? Aesthetic Dentistry (New York) Prosthetic & Orthotic Care Midwest Orthopedic Pain & Spine Little Red Door Cancer Services of East Indiana Tampa Bay Surgery Center La Quinta Center for Cosmetic Dentistry Feinstein & Roe Dougherty Laser Vision Coliseum Pediatric Dentistry (aka Hampton Road Dentistry) A few notes on the above: The data from the unnamed clinic in New York were never proven to have come from a clinic, as the data were PII. The unnamed clinic in Oklahoma was also questionable as it appeared to be old data and there wasn’t much of a sample provided for verification purposes. It is not clear, therefore, whether these should be counted as incidents. Of four incidents recently revealed by TDO on Twitter (before their @tdohack3r account was suspended), there were data dumps for two of them. There were no data dumps for Dougherty Laser Vision or for Coliseum Pediatric Dentistry, although TDO provided this site with sample patient records for each claim for verification purposes. Of special note: there is no evidence that the most recently disclosed hacks were actually recent hacks. Some of these hacks appear to have occurred last year, although it’s not clear when the entities may have first discovered they had been hacked. Keeping the above in mind, and that most of the hacks ultimately resulted in data dumps or data put up for sale on the dark web, why hasn’t the media been asking: How many of the twelve confirmed breaches were reported to HHS? How many of the twelve confirmed breaches were reported to state regulators? How many of the twelve confirmed breaches resulted in notifications to the affected patients? Let’s take those questions one at a time. First, only four of the 12 confirmed breaches appear to have been reported to HHS: Athens Orthopedic Clinic Peachtree Orthopedics Prosthetic & Orthotic Care Midwest Orthopedic Pain & Spine Now that may be because not all entities are HIPAA-covered entities. And you may be thinking that some of the newer breaches are still within the 60-day window, but TDO informs this site that their victims (whom they prefer to call “clients”) have known for months about the breaches. So why haven’t 8 of the 12 breaches been reported to HHS? DataBreaches.net has filed under Freedom of Information to ask whether HHS received reports on these incidents but has received no response from HHS as yet. In answer to the second question: none of these breaches seem to show up on publicly available state regulator web sites that list breach reports. Because some of these entities are in California, and because California requires breach notification for medical, you might think that we’d see some of these on California’s breach list, but no. So DataBreaches.net has filed public records access requests with both the California Attorney General’s Office and with the California Department of Public Health for any breach reports for these incidents. We have received no response as yet (SEE UPDATE, BELOW). As to the third question about notification to patients, DataBreaches.net could only find confirmation of patient notification for the incidents reported to HHS and for the Little Red Door Cancer Services of East Indiana. Other entities did not respond to this site’s inquiries as to whether they had notified their patients, and this site could find no substitute notices or public notices, although it’s possible the notices were in local media not indexed by Google. Of note, however, DataBreaches.net did contact patients of some of these entities, who claimed that they either did not receive, or did not recall receiving, any notification from at least two of the entities: Aesthetic Dentistry in New York City and Coliseum Pediatric Dentistry in Virginia. Neither entity had responded to inquiries from this site as to whether they had notified patients. So here’s my request to the public: If you were affected by one of the TDO incidents listed below, did you receive a notification letter from the doctor’s office or group about it? You can use the comments section to answer, but if you have a notification letter you can send me, let me know. OC Gastrocare Aesthetic Dentistry (New York) Tampa Bay Surgery Center La Quinta Center for […]
While thousands of their followers on Twitter seem to be eagerly waiting for TheDarkOverlord (TDO) to dump more tv films or episodes of popular series, TDO went non-fiction this morning, dumping patient/medical records from some of their hacks in the healthcare sector last year. All told, almost 180,000 patients had their personal information shared with the world. Two of the incidents were previously known to this site, and had already been included in monthly analyses provided by this site to Protenus for their Breach Barometer reports. But for the benefit of those readers or journalists who seem to be first discovering TDO, here’s a list of some medical entities that TDO attacked last year (links are to mentions of the incidents on this site): Athens Orthopedic Clinic Peachtree Orthopedics OC Gastrocare An unnamed clinic in New York Aesthetic Dentistry Prosthetic & Orthotic Care Midwest Orthopedic Pain & Spine Little Red Door Cancer Services of East Indiana An unnamed clinic in Oklahoma DataBreaches.net strongly suspects that there are other medical clinics that were also attacked but never disclosed publicly. In addition to medical clinics/providers and insurers, TDO’s victims have also included software and third-party vendors like PilotFish Technology, Quest Records Management, and the still-unnamed third-party vendor of a health insurer where 9.3 million records were listed for sale on TheRealDeal. And then there were that attacks in other sectors, like the attacks on WestPark Capital, Gorilla Glue , Pre-Con Products, G.S. Polymers, DRI Title, and other entities. For those who are new to TDO’s playbook, be aware that if they dump databases, it’s usually because the entities would not pay their extortion demands and there is no market for the data or no longer any market for the data. Dumping the database is often part of their strategy to send a warning to future victims that they should pay up or suffer the same fate of having their customer/patient/proprietary information dumped or sold. Using the media to promote their reputation as dangerous hackers who follow through on their threats is also part of their playbook, which may explain why they have dropped three databases today. Whatever their reasons, here’s what we know so far about today’s three newly dumped databases: Aesthetic Dentistry Aesthetic Dentistry in New York City was hacked by TDO last year. It was clear from what TDO tweeted last year that Aesthetic Dentistry was not about to pay TDO any extortion. Showing a healthy dose of New York attitude, the intended victim had allegedly responded to TDO’s attempts to extort them with this reply: Attempting to increase pressure on them, TheDarkOverlord issued a press release on Pastebin and dumped some of their patients’ data. The October 14th statement is still publicly available, although the paste with the selection of patient data was removed by Pastebin. Despite the public pressure of revealing named patients’ medical diagnoses and other details, it would appear that Aesthetic Dentistry still did not pay the undisclosed amount TDO sought. Today – seven months after their initial disclosure – TDO tweeted: Don’t mind us as we dust off 3.5k dentistry patient records: https://t.co/o5dewUPA8y — thedarkoverlord (@tdohack3r) May 4, 2017 “Don’t mind us as we dust off 3.5k dentistry patient records:” The database, in .csv format, contains 3,496 patient records, where the field headings include a wealth of personal information, some health insurance information, information on the referrer, and some payment information. All of the identity information is in plain text. What may be of especial concern to patients, apart from the risk of fraud, is the disclosure of their health information. Diagnoses included in the database included cardiac diagnoses such as heart murmur, hypertension, kidney diseases, psychiatric conditions such as depression, and various allergies and sensitivities, etc. Aesthetic Dentistry never responded to inquiries sent to them in January and February by this site. And because the incident never appeared on HHS’s public breach tool, DataBreaches.net filed a Freedom of Information request in February with HHS as to whether this incident had ever been reported to HHS. DataBreaches.net has still not received a response to that simple FOI request. OC Gastrocare OC Gastrocare in California is another entity that TDO hacked last year and that they had also attempted to extort. As with Aesthetic Dentistry, TDO did not publicly reveal how large the extortion demand was, and used a statement on Pastebin to try to increase pressure on them to pay. Today, after first tweeting a link to the Aesthetic Dentistry data dump, TDO tweeted: Let’s add a zero to the last figure. Another clinic (OC Gastro) who has also mistreated us and their patients: https://t.co/3OojH3PrVs — thedarkoverlord (@tdohack3r) May 4, 2017 “Let’s add a zero to the last figure. Another clinic (OC Gastro) who has also mistreated us and their patients:” Note that TDO’s concept of “mistreated us” often translates into: (1) the entity refused to pay their extortion demands, and/or (2) the entity ignored their demands altogether, which TDO has indignantly suggested is “unprofessional” on the victims’ parts. To this day, TDO’s public statements often reveal that they try to present themselves as “professionals” (e.g., signing their demands as “professional adversary” or providing legal-sounding “contracts” with extortion terms). TDO has occasionally commented to this site that they believe clinics are not doing right by their patients by refusing to pay “modest” extortion demands that could protect the patients’ privacy. In other cases, they had informed this site in encrypted chats that they had found what they believed was evidence of entities covering up other wrongdoing. So how did OC Gastrocare allegedly “mistreat” their patients? By not paying an extortion demand? It’s uncertain, as TDO has yet to explain it. The OC Gastrocare data contains approximately 34,100 patient records. As with Aesthetic Dentistry’s records, information such as date of birth and Social Security number are in plain text. Tampa Bay Surgery Center The third database TDO dropped today actually came as a surprise to this site, as I don’t recall ever seeing any mention of it before: Into the hundred thousand range we go. However, this clinic didn’t do anything wrong except annoy us. https://t.co/gAlt5rhOXd — thedarkoverlord (@tdohack3r) May 4, 2017 “Into the hundred […]
In a post yesterday, I reported that protected health information and identity information of patients of Athens Orthopedic Clinic that had been leaked online by hackers remained available to anyone who knows where to look for it. Although it’s frustrating and understandably worrying to patients, I give AOC credit that they tried to find the leaks and plug them. I think patients of another victim of TheDarkOverlord have more cause to be upset with their provider, who neither responded to two notifications from this site that their patients’ information was leaking online nor got the records removed from public view. On June 29, this site contacted Midwest Orthopedic Pain & Spine* in Farmington, Missouri, to alert them that TheDarkOverlord (TDO) had leaked some of their patients’ data. They never responded nor asked me where the data had been dumped. Again on July 23, this site contacted them through their web site contact form to alert them that the patient data was still exposed on Pastebin and to ensure they had the url. Again, I got an auto-responder but no real response. In that July 23 message through his site, I wrote, in part: I am a journalist who contacted you in the past, but got no response. I wanted to make sure that you are aware that your patients’ PHI was dumped on Pastebin weeks ago at http://pastebin.com/[redacted]. I don’t know why you haven’t sought to have it removed. Is there some reason you haven’t contacted Pastebin? They have procedures for removing such things if the entity requests it via email, and they’re usually pretty fast. Your patients’ data have already been downloaded dozens of times, it would seem, so I’d encourage you to seek removal asap before more damage might be done to them – unless law enforcement has advised you otherwise, of course. The Pastebin url is redacted for now in the above message because, despite my messages to them of June 29th and July 23, that June 29th paste – with 499 patients’ information – is still available to anyone who knows where to look for it. It has now been viewed 96 times. Another copy of the same data is also still available on Pastebin and has been viewed 192 times. The patients whose data were exposed in those duplicate pastes are those whose last names begin with the letter “A” and “B.” The types of data in the records may include name, Social Security number, date of birth, address, landline and cellphone number, and other details. On July 23, after sending the message to Midwest, I discovered another paste, dated that day, that contained an additional 1,006 patients’ records in the same format. Here are the headings of the data fields: Record #,Pat.Act.#,Active,Last Name,First Name,MI,Suf.,Address Line 1, Address Line 2,City,State,Zip,SSN,DOB,Sex,Mar.,Stu.,Email,Home Phone, Work Phone,Cell Phone And here is a screenshot – redacted by this site – showing that data were available to anyone who knows where to look for it. DataBreaches.net has today requested removal of the three pastes with patient data from Midwest Orthopedic Pain & Spine, but Midwest’s lack of response and inaction should be investigated by HHS and perhaps the Federal Trade Commission. If readers are aware of other patient data leaks that are still online, please let me know. Not all pastes can be removed (some sites have no removal policy), but Pastebin does have a removal policy and it should be possible to get patient data removed from that site if it’s been uploaded there. — * The medical group reportedly includes Midwest Imaging Center, LLC; Van Ness Orthopedic and Sports Medicine, Inc.; Mineral Area Pain Center, P.C.; Select Pain & Spine; Dr. Christopher T. Sloan, D.P.M.