On July 12, the hacker known as “The Dark Overlord” (TDO) offered the source code, software signing keys, and customer license database for a firm that develops and markets software that among other things, implements the HL7 standards. The entity was not named in the listing on TheRealDeal Market. As I reported on July 12, I was already aware of the hack and had previously notified the entity of it, but I did not reveal their name at that time, so as to give them a chance to start investigating and to get their incident response started. Yesterday, Jeremy Kirk also reported on the breach.
As with TDO’s other attacks, this one came with a ransom demand, which was basically to pay 800 BTC or have the source code and signing keys sold. But there was another aspect to this breach: the hacker’s claimed ability to access all of the firm’s clients’ EHR records. On a proprietary level, the hack and potential leak of the source code is serious, of course, as is the claim that the hacker had control of the signing key and could push out an update to all clients. As a patient privacy advocate, the access to EHR records and potential for corrupting them or stealing them is worrying.
Because the entity has decided not to issue any statement at this time, and because their clients’ EHR records were apparently accessed as part of the attack, DataBreaches.net is going to reveal what we know so far about this incident.
On July 6, during an encrypted on-the-record chat, TDO provided me with a log from the attack, including the firm’s root directory and a copy of their .sql licensing database. I contacted the firm last week to alert them. In my conversation with them about what had happened, Ben Hoey informed me that there was no PII or PHI at risk.
In a follow-up chat with TDO, I asked him about their claim of no PHI involved.
“Of course not,” TDO told me. “Except when I used their code to find exploits in all their clients…. Also, since I was in their system, I signed a backdoor into their client – because I had access to their certificate signing. It got pushed out in an update a few weeks ago.”
TDO provided this site with a sample of EHR records from one or more clients.
“So yes, no PII/PHI my ass,” he commented.
The firm, when contacted with that information, did not reply to DataBreaches.net. And when I spoke with them earlier today, they declined to issue any statement, stating only that the matter had been turned over to their security team.
By now, I’ve seen enough to be convinced that TDO has everything he claims to have on them, and this can be a very costly breach for the firm.
Is TDO using this site and this journo to put pressure on the company? As Joseph Cox discussed on Motherboard, TDO is good at using the media to build his credibility or to exert pressure on targets. I’m probably an easy play for him, too, as my concern for ensuring patients are informed of breaches makes me more likely to report and disclose details. But as Cox and I agreed, even when you know you’re being used or played, you can or should still report on breaches.
So for now, I guess, unless I obtain any additional details from TDO or the firm, the only thing left to report is to identify the firm. It’s PilotFish Technology in Connecticut, and if you’re a client with EHR records, you may want to activate your incident response team. While I did not see proof that TDO got all EHR records from all clients, TDO claimed that they’ve got them all, and I tend to believe that.
For my other coverage and discussion of TDO’s hacks, see these posts.
Correction: this post was edited post-publication because as a commenter correctly pointed out, I should not have described the firm as an “HL7 entity.” Thanks for the commenter for pointing out the less than accurate description I had provided.