Technology firm hack compromised clients’ EHR records: The Dark Overlord

On July 12, the hacker known as “The Dark Overlord” (TDO) offered the source code, software signing keys, and customer license database for a firm that develops and markets software that among other things, implements the HL7 standards. The entity was not named in the listing on TheRealDeal Market. As I reported on July 12, I was already aware of the hack and had previously notified the entity of it, but I did not reveal their name at that time, so as to give them a chance to start investigating and to get their incident response started. Yesterday, Jeremy Kirk also reported on the breach.

As with TDO’s other attacks, this one came with a ransom demand, which was basically to pay 800 BTC or have the source code and signing keys sold. But there was another aspect to this breach: the hacker’s claimed ability to access all of the firm’s clients’ EHR records. On a proprietary level, the hack and potential leak of the source code is serious, of course, as is the claim that the hacker had control of the signing key and could push out an update to all clients. As a patient privacy advocate, the access to EHR records and potential for corrupting them or stealing them is worrying.

Listing on TheRealDeal Market
Listing on TheRealDeal Market

Because the entity has decided not to issue any statement at this time, and because their clients’ EHR records were apparently accessed as part of the attack, is going to reveal what we know so far about this incident.

On July 6, during an encrypted on-the-record chat, TDO provided me with a log from the attack, including the firm’s root directory and a copy of their .sql licensing database. I contacted the firm last week to alert them. In my conversation with them about what had happened, Ben Hoey informed me that there was no PII or PHI at risk.

In a follow-up chat with TDO, I asked him about their claim of no PHI involved.

“Of course not,” TDO told me. “Except when I used their code to find exploits in all their clients…. Also, since I was in their system, I signed a backdoor into their client – because I had access to their certificate signing. It got pushed out in an update a few weeks ago.”

TDO provided this site with a sample of EHR records from one or more clients.

“So yes, no PII/PHI my ass,” he commented.

The firm, when contacted with that information, did not reply to And when I spoke with them earlier today, they declined to issue any statement, stating only that the matter had been turned over to their security team.

By now, I’ve seen enough to be convinced that TDO has everything he claims to have on them, and this can be a very costly breach for the firm.

Is TDO using this site and this journo to put pressure on the company? As Joseph Cox discussed on Motherboard, TDO is good at using the media to build his credibility or to exert pressure on targets. I’m probably an easy play for him, too, as my concern for ensuring patients are informed of breaches makes me more likely to report and disclose details. But as Cox and I agreed, even when you know you’re being used or played, you can or should still report on breaches.

So for now, I guess, unless I obtain any additional details from TDO or the firm, the only thing left to report is to identify the firm. It’s PilotFish Technology in Connecticut, and if you’re a client with EHR records, you may want to activate your incident response team. While I did not see proof that TDO got all EHR records from all clients, TDO claimed that they’ve got them all, and I tend to believe that.

For my other coverage and discussion of TDO’s hacks, see these posts.

Correction: this post was edited post-publication because as a commenter correctly pointed out, I should not have described the firm as an “HL7 entity.” Thanks for the commenter for pointing out the less than accurate description I had provided.

About the author: Dissent

14 comments to “Technology firm hack compromised clients’ EHR records: The Dark Overlord”

You can leave a reply or Trackback this post.
  1. Jordana Ari - July 15, 2016

    I wonder what his motives are in regards to this hack and others..If it’s all about breaking into server for whatever glory, well that is obviously screwed up

    • Dissent - July 15, 2016

      He’s very clear that his motive is money.

      • Jordana Ari - July 15, 2016

        At some point, he will get caught. I don’t think he is smart enough to stay hidden and in the dark

        • Dissent - July 15, 2016

          And your opinion is based on… what? Having chatted with him at length, I think if he gets caught, it will be due to an opsec slip up somewhere, but he’s incredibly intelligent. I just wish he was on my side of the equation.

          • Jordana Ari - July 15, 2016

            He keeps tweeting and goading based on his tweets (who I follow) . I have noticed most of these hackers are very intelligent but seem to slip with something that should be a no brainer.
            I have a slight hunch that certain govt agencies may be tracking too. I don’t want to give out my perspective on this through public domain though. This came through a recent conversation I had with someone

          • Dissent - July 15, 2016

            “May be tracking?” LOL. Of *course* they’re trying to track him down. He’s a major threat.

          • Jordana Ari - July 15, 2016

            I know…will inbox more…not saying anything else

  2. Jordana Ari - July 15, 2016

    Who I know works for a govt entity..

    I had a problem sending that last comment and this completed the last sentence.

  3. JS - July 15, 2016

    Holy shit.

  4. Grahame Grieve - July 18, 2016

    Dissent: “On July 12, the hacker known as “The Dark Overlord” (TDO) offered the source code, software signing keys, and customer license database for a Health Level Seven (HL7) entity.” – that sentence is badly misleading – PilotFish is a company that provides software that implements – among many other things – the HL7 specification. That does not make them an “HL7 entity” whatever you think might mean. HL7 is a standards organization that defines interoperability formats. It doesn’t have entities that are companies. But it does protect it’s name… Please correct your description

    • Dissent - July 18, 2016

      Thanks for your thoughtful comment. I have edited the text to make it more accurate, I hope.

  5. Random - July 18, 2016

    Oddly I am familiar with that software and they technically don’t host or create EHR records. I wonder if there would be some real followup before reporting on these. This article has created a nightmare for me since I support a company that uses this software.

    • Dissent - July 18, 2016

      The hacker claims he got into the clients’ records through the company. The hacker also claimed to have all their source code. So I take your point, but I don’t think I claimed they hosted or created records. Also, because of the signing key issue, the hacker could have pushed out an update to all licensed users that would leave a backdoor into the clients’ network via the software and the hacker had told me that he did have such a backdoor.

      So is this a bit of a nightmare? I think it may be, and I hope Pilotfish shares the results of any forensics examination, at which point, I’ll be happy to follow up. My main concern was to alert clients whose records may have been compromised by events.

  6. Grahame Grieve - July 18, 2016

    Thanks for the correction – it’s all good now. I too hope that we find out the forensics, but it sounds unlikely to me.

Comments are closed.