EXCLUSIVE: Hand Rehabilitation Specialists notifies patients of possible hack by TheDarkOverlord

Back around the Fourth of July holiday,  I was busy attempting to confirm some claimed hacks by TheDarkOverlord (TDO). And no, I’m not referring to any entities I’ve previously named on this site, but yet other healthcare entities I’ve never named.

In encrypted chats, TDO had provided me with samples of patient data from approximately half a dozen healthcare practices. As they had done in some previous cases, TDO informed this blogger that they were going to dump the data publicly because the entities had not paid their extortion demands.

Two months later, I have seen no evidence that these entities’ patient records have been dumped or put up for sale. It may be, however, that the sales are taking place outside of marketplaces that I might check or it may be that TDO decided not to sell some of the data they acquired. In any event, and unlike some of TDO’s previously claimed hacks, this batch of claimed hacks turned out to be a headache to verify. Calls to entities/clinics were generally not returned, and even after I made contact with some of the clinics, they did not follow up with me. In other cases, patient contact information was no longer accurate, or patients provided only partial confirmation of the accuracy of the records I had been provided.

One of the clinics that proved to be somewhat headache-inducing in terms of verifying the claimed hack was Hand Rehabilitation Specialists, who have offices in Thousand Oaks and Simi Valley, California.  TDO had provided me with a sample of what they said were 10 patient records. Each record consisted of last name, first name, gender, date of birth, Social Security number, postal address with zip code, and telephone number.  TDO claimed that they had other records with additional types of data as well, but the sample was merely for verification purposes.

Today, Hand Rehabilitation Specialists filed a breach notification with the Vermont Attorney General’s Office. That letter states, in part:

On July 5, 2017, we were informed that there may have been a breach in the security of our network. We immediately reported the notice to the Ventura County Sheriff’s Office, who began a prompt forensic IT investigation into the matter in consultation with the FBI. To date, law enforcement has found no evidence of any information leaving our system. However, unauthorized access could not be ruled out, so out of an abundance of caution, we are providing notice to all individuals who could be potentially affected and providing protective services to those who choose to take advantage of this service.

What Information Was Involved?

The information may have included your: name, date of birth, address, phone number, Social Security number, dates of service, diagnoses, CPT (billing) codes, cost, amount of co-pay made by check, medical insurance company, insurance group number and contact information, check number, and our name and practice contact information.

What We Are Doing.

We immediately notified and have been working with the Ventura County Sheriff’s Office, outside IT consultants, and applicable state agencies. Further, we are reviewing our security policies and procedures to ensure all appropriate steps have been taken.

Their letter did not reveal the number of patients they are notifying.

Based on the date of their letter and my notes, it seems that they may be claiming that they first discovered the breach on July 5  from my phone call to them.  That claim would be consistent with their statement to me that they had never seen any extortion demand email from TDO.

When asked about the extortion demand in July, TDO insisted that they had sent an extortion demand to the [email protected] address, but TDO’s spokesperson did not claim that the practice had ever responded to it and I was provided no proof that the entity ever even opened the email or saw it. So although TDO claimed that the entity had known about the hack months earlier, this site has seen no proof of that.

Even more puzzling at the time, though, was the fact that out of the 10 patient records provided to me for verification purposes, the practice, its lawyer, and its third-party vendor who maintained the database all insisted that only two of the 10 were patients of the practice. And the third-party vendor also insisted that there was no evidence of any breach of their system. So if the practice didn’t maintain any database on their server, and their vendor insists that there was no breach, and we only have 2 out of 10 patients confirmed and the other 8 flatly denied, then……?

DataBreaches.net has not been in contact with TDO since July 22nd. When this claimed hack was last discussed in July, they were insistent that they had hacked this entity, but declined to provide this site with any additional records that could be used to attempt to verify their claims.  Despite that, this site has no reason to disbelieve their claims. Then again, this site has no reason do disbelieve the practice, either. Maybe some day I will get an answer that resolves the seeming disputed facts.

This incident has not appeared on HHS’s public breach tool (or at least, not yet), and as far as this site knows, it is the first of that batch of claimed hacks to be disclosed publicly.  It will be interesting to see if any of the other claimed hacks get disclosed in the coming weeks, as Sept. 5th would be around two months since I first contacted the entities to inquire about their possible hacks.

About the author: Dissent