Prosthetic & Orthotic Care confirms hack by TheDarkOverlord

Another one of TheDarkOverlord’s targets has issued a statement about the hack and theft of their patient information. DataBreaches.net had identified this entity and first reported on the hack on July 9.

Somewhat disturbingly, and as we have seen in other cases with the same parameters, Prosthetic & Orthotic Care (P&O Care) does not appear to be telling patients that their PII and PHI were actually dumped on Pastebin, and that the full database with all their information in plain text is up for sale on the dark web. I am still awaiting a response from HHS as to whether such information should be included to comply with the intention of HITECH that patients be given information relevant to their assessment of the risks they face.

ST. LOUIS, MISSOURI AND ILLINOIS, USA, July 29, 2016 — Prosthetic & Orthotic Care, Inc. is taking swift action to address a data breach by a malicious hacker that has resulted in the disclosure of its patient information. 

The office learned of the possibility of an incident on July 10, and the FBI began investigating the matter. Exploiting a previously-unknown flaw in software purchased by P&O Care, the thieves obtained patient medical records that include names, contact information, P&O Care patient ID numbers, diagnostic codes, appointment dates and last billing amounts. Some records also contain Social Security numbers, birth dates, medical insurance company, and identification information and photos of procedures.  

“P&O Care deeply regrets that this incident occurred and understands the importance of personal information security,” Jim Weber, P&O Care’s Chief Executive Officer, said. “We are working diligently to notify our patients of this risk, and in light of this attack, we are also working with a nationally recognized security firm to further enhance our security and guard our patients’ information.”  

The steps underway to respond to this breach and further improve the security of P&O Care’s patient records include: 

• Providing notice of the theft to those identified as potentially being at risk
• Advising patients on specific steps they can take to protect against identity theft; for example, patients are advised against providing or verifying any unsolicited requests to confirm any sensitive personal information
• Providing patients with a year of credit monitoring through AllClearID, a leading provider of identity theft protection services, at no expense to patients
• Operating a toll free number dedicated to providing information to those affected by the attack
• Retaining a nationally recognized security firm to advise on measures to enhance security
• Adding additional measures to thwart future attacks
• Monitoring the system to detect any signs of an ongoing attack

Additionally, action individuals should take to protect themselves from potential harm resulting from the breach include:

• Immediately file a report with local police if you believe your identify has been stolen
• Place an Initial Fraud Alert on your accounts, which can be done by contacting any one of the three credit reporting agencies; once you place an initial fraud alert with one of the three credit agencies, it will share that information with the other two
• Review the FTC’s publication, “Taking Charge: What To Do If Your Identity Is Stolen,” which contains additional valuable information, including step-by-step checklists to report and repair identity theft – find the publication at https://www.consumer.ftc.gov/articles/pdf-0009-taking-charge.pdf

Those affected will be receiving a notification letter with a toll free number they may call with further questions. In the meantime, potentially affected persons seeking additional information may email [email protected] 

About Prosthetic and Orthotic Care, Inc. 
P&O Care is a team of health care professionals whose mission is to improve the quality of life of our patients by consistently providing patient-focused, value-driven solutions through the innovative design, fabrication and fitting of the highest quality custom prosthetic and orthotic devices. As an independently owned and operated prosthetic and orthotic company, the decisions that we make about the services we provide, the products we recommend, and your care management are truly patient-centered.

Dan Nelson
Armstrong Teasdale LLP
(314) 621-5070

About the author: Dissent