Central Ohio Urology Group hacked, PHI dumped: hacktivist (Updated)

A Ukrainian hacktivist claims to have hacked and dumped 156 GB of patient data from Central Ohio Urology Group in Ohio.

The alleged hack was announced Tuesday morning by the @PravSector account, who posted an unredacted screen shot and a link to the data dump on Google Drive.

Screen shot purportedly from COUG database - redacted by DataBreaches.net. All data were in the fields were in plain text.
Screen shot purportedly from COUG database – redacted by DataBreaches.net. All data were in the fields were in plain text.

The data fields in the screen shot include the patients’ full name, postal address and telephone number, date of birth, date of service, and diagnosis (although not ICD codes: just notations such as “lump,” “stones,” “sex drive”). The protected health information (PHI) also included the name of the patient’s insurance carrier and account number.

All data were in plain text. The service dates in the screen shot were from 2013-2014, and a quick Google search confirmed that there are individuals with those names living at those addresses.

In private messages, @PravSector informed DataBreaches.net that he was the hacker, and that this hack was for political purposes – a “warning” so that “no one thought to poison our people with the virus from secret laboratories.”  Many have died in Odessa, he tells DataBreaches.net.

“I personally witnessed in Kherson as instructors injections to our volunteers and 14 people died later. Some were strange convulsions before death.”

“We are people, and we want to live.”

And that’s where the conversation got a bit confusing, because Pravyy Sector acknowledged that there was no evidence Central Ohio Urology Group (COUG) was involved in any such research or activity.  Despite that, he attacked them – via SQLinjection, he claims – and plans to attack others as well. He also plans to disclose what he describes as “top secret docs with secret trials of virus in Ukraine.”

Pravyy Sector claims that he had emailed a warning to COUG in the past, and DataBreaches.net is attempting to obtain a copy of that communication.

But the bottom line for Pravyy Sector is that he wants to publicize what he believes the U.S. is doing to Ukrainians, and to warn any labs not to participate with the Pentagon in any such research.

I’ve just wanted to atract attantion to the terrible facts. This lab is part of the US healthgcare what helped Pentagon killing us…. of course i cant harm USAMRU-G or naval medical research – they are protected well – but I can hack less protected system.

When asked whether he really felt this was the right way to send a message – by attacking uninvolved sites and exposing patient information on innocent people, Pravyy Sector replied,

I dnt know whether the right way but my comrades died a horrible death. I want people to know the truth.

DataBreaches.net contacted COUG to alert them to the claimed breach and they are currently investigating.  DataBreaches.net also sent an email inquiry to a Gmail address listed as the owner of the data dump.

This is a developing story and the post will be updated as more information becomes available.

Update1: The files are still being analyzed by @Cyber_War_News, who has been feeding information to a few of us as he finds things. This is a huge compilation of internal documents and patient records, including 100,000 document files and pdfs. I’ve also seen monthly surgical spreadsheets with detailed records on named patients’ surgeries, and consultation forms with patients’ medical histories and insurance information.

In other words, this is going to be brutal. I should note that although it seems that the exfiltration of the data occurred on July 21st and July 22, it’s not yet clear whether it was COUG’s server from which the data were stolen or a vendor/business associate’s. @Cyber_War_News hypothesizes that it’s a dump from an installation of DocumentPlus.

Update2: CyberWarNews.info has released their analysis of the data dump. Of possible note, Lee found evidence of ransomware.  CUOG has yet to provide this site with any statement about the breach.

Update3: See also HackRead’s coverage with screenshots.

Update4: @PravSector tells DataBreaches.net that the attack was on COUG’s server, not a vendor’s. COUG has yet to issue any statement.

Update 5 (Sept. 27): It looks like COUG has determined that it was an attack on their server, although we don’t have total numbers yet.

Update 6 (Oct. 3) COUG reported it to HHS as affecting 300,000.

 

About the author: Dissent