“Hear Me Roar:” Kaiser Permanente-related site defaced by GOT fans

What you were supposed to see at healthinnovation.kp.org

Kaiser Permanente’s Health Innovations web site wasn’t looking too healthy on Friday. If you attempted to access the site, instead of seeing happy and healthy people and notices about becoming members, you might have seen a notice that the site had been “Hacked by Dohaeragon.” “Dohaeragon” is reportedly “serve” in High Valyrian, the fictional language on Game on Thrones.

KP’s Heatlh Innovation site was defaced by hackers.

And if you, too, are a fan of Game of Thrones (GOT), then you might have enjoyed the musical accompaniment to the defacement:  “Hear Me Roar.”

The defacement credited “Team Faceless Men” who allegedly consisted of Polatbey, Morghon, SoloKing, Claronomes, and KingOfNoobs. “Team Faceless Men” is also a reference to GOT, where they are a guild of assassins.

“Valar Dohaeris”. All men must serve. Faceless Men most of all.

Kaiser Permanente was probably not amused, however, and within a few hours they had somewhat remedied the situation, although their “fix” appeared to be just moving the site to another IP address.

Whether or when they actually patched the site  is unknown to this site because KP has not replied to an email inquiry sent to it on Friday evening.  A source with knowledge of the situation, however, informed DataBreaches.net that prior to the attack, the site had not been subjected to KP’s usual and required security and had not been patched or updated in quite a long time.

And because KP did not reply to this site’s inquiry,  we also do not know if there was any personal information or protected health information that had been on that site and accessible to the hackers.

As to the attackers, there is no history of any “Dohaeragon” on defacement mirror sites like Zone-H.  Their only appearance is on aTurkish site, golgeler.net.  A Google search of the members’ names reveals that at least two of them appear to be Turkish gamers.  A page on plays.tv about “Claronomes” indicated that that individual followed “Morghon,” whose personal information was given as

Real Name: Berkay Gender: Male Age: 17 Country/City: Turkey/Kusadasi Favorite Games: Rainbow Six Siege, The Forest, Blackwake, ARK, PUBG

But the bottom line is that this defacement should be somewhat embarrassing for Kaiser Permanente  who should be at the cutting edge of protecting personal information of patients or insurance plan members.  Indeed, the Security statement for their web site states:

The Websites and the App have security measures in place that are intended to help protect against the loss, misuse, unauthorized access or alteration of information under our control both during transmission and once the information is received. These measures include encryption of data using the Secure Socket Layer (SSL) system, and using a secured messaging service when we send your personal information electronically to the Websites or the App. Despite these measures, the confidentiality of any communication or material transmitted to or from us via the Websites or the App by Internet, text message or email cannot be guaranteed.

While that may sound good, it seems that their site was too-easy pickings for a group of teenage gamers with no history of any serious hacking. Hopefully, KP is conducting an internal review to figure out how this could happen.

In the meantime, attempts to reconnect to healthinnovation.kp.org on Sunday resulted in the site redirecting to healthy.kaiserpermanente.org. It remains that way as of the time of this posting.

If KP does respond, this post may be updated.

Update of July 31: DataBreaches.net received a response from KP today. Their statement is as follows:

The site healthinnovation.kp.org is a site accessed by employees, physicians, and potential employees that provides information on an internal program. The site did not include any protected health information. As the site was developed and hosted outside the Kaiser Permanente network, the breach did not give attackers any access to protected health information of Kaiser Permanente members or patients, nor did it provide access to kp.org or any other Kaiser Permanente system.

We have investigated and are confident that there is no risk to member or patient data confidentiality. While still under investigation, we will be working with this vendor to ensure appropriate levels of security going forward.

Update 2 of July 31:  DataBreaches.net received a polite request from KP asking this site to edit the headline from “”Hear Me Roar:” Kaiser Permanente site defaced by GOT fans.” KP’s rationale for their request was that as written, readers “might assume that THE Kaiser Permanente site (www.kp.org) was hacked which of course was not the case. This was essentially an externally-hosted information page.”

Technically, they’re right. However, the public generally does not know when big entities have other companies externally hosting subdomains (this issue has come up before on this site). Typically, the public will see “kp.org” and will rely on the brand and the reputation of Kaiser Permanente to assure them that the site has good security.  A member of the public is generally not going to expect that a subdomain is being externally hosted and is not under the same security as the main site/domain. 

So after some thought, I’m going to tweak the headline, but leave KP’s name in it, as a reminder to all entities that if you allow other companies to externally host a subdomain, you need to make sure that the external host is providing adequate security – because ultimately, it’s YOUR brand and reputation that will take any hit. 

About the author: Dissent