Irony: When blackhats are our only source of disclosure for some healthcare hacks (Update1)

“We’ll not be caught, ever.”
— TheDarkOverlord, June 21, 2017

At this rate, the criminals known as TheDarkOverlord may be right. But if they escape accountability for their criminal acts, what about those who were responsible for securing our protected health information? Have they also escaped accountability and will they continue to escape accountability?

Since June 2016, has reported on hacks of healthcare entities by TheDarkOverlord (“TDO”).  At times, fellow journalists and I have expressed concerns about TDO gaming the media, i.e., using our reporting to put pressure on their victims to pay extortion demands. And there was also the issue that in the early days, TDO was flat-out lying to journalists about some things, lies that some of us may have unknowingly repeated.

Over time, some journalists pretty much stopped reporting on TDO. This site didn’t stop, because patients need to be alerted that their data have been hacked, and the healthcare sector needs to be reminded that these threats exist and are ongoing – and that they need to take proactive measures to defend against such attacks. To the extent such coverage may inadvertently help TDO boost their brand as attackers, well, that’s unfortunate, but I still think the public needs to be informed about what’s going on in the healthcare sector when it comes to protecting our information.

And while many fellow journalists do not report on the ongoing healthcare sector breaches, notes that for the most part, the media has not been asking enough questions, or the right questions.

First, let’s review what we know about claimed TDO hacks in the healthcare sector. I’m linking to previous coverage of them, where there’s been coverage:

  1. Athens Orthopedic Clinic
  2. Peachtree Orthopedics
  3. OC Gastrocare   
  4. An unnamed clinic in New York   and an  unnamed clinic in Oklahoma ??
  5. Aesthetic Dentistry    (New York)
  6. Prosthetic & Orthotic Care
  7. Midwest Orthopedic Pain & Spine
  8. Little Red Door Cancer Services of East Indiana
  9. Tampa Bay Surgery Center
  10. La Quinta Center for Cosmetic Dentistry
  11. Feinstein & Roe
  12. Dougherty Laser Vision
  13. Coliseum Pediatric Dentistry (aka Hampton Road Dentistry) 

A few notes on the above:

  1. The data from the unnamed clinic in New York were never proven to have come from a clinic, as the data were PII. The unnamed clinic in Oklahoma was also questionable as it appeared to be old data and there wasn’t much of a sample provided for verification purposes. It is not clear, therefore, whether these should be counted as incidents.
  2. Of four incidents recently revealed by TDO on Twitter (before their @tdohack3r account was suspended), there were data dumps for two of them. There were no data dumps for Dougherty Laser Vision or for Coliseum Pediatric Dentistry, although TDO provided this site with sample patient records for each claim for verification purposes.
  3. Of special note: there is no evidence that the most recently disclosed hacks were actually recent hacks. Some of these hacks appear to have occurred last year, although it’s not clear when the entities may have first discovered they had been hacked.

Keeping the above in mind, and that most of the hacks ultimately resulted in data dumps or data put up for sale on the dark web, why hasn’t the media been asking:

  • How many of the twelve confirmed breaches were reported to HHS?
  • How many of the twelve confirmed breaches were reported to state regulators?
  • How many of the twelve confirmed breaches resulted in notifications to the affected patients?

Let’s take those questions one at a time. First, only four of the 12 confirmed breaches appear to have been reported to HHS:

  • Athens Orthopedic Clinic
  • Peachtree Orthopedics
  • Prosthetic & Orthotic Care
  • Midwest Orthopedic Pain & Spine

Now that may be because not all entities are HIPAA-covered entities.  And you may be thinking that some of the newer breaches are still within the 60-day window, but TDO informs this site that their victims (whom they prefer to call “clients”) have known for months about the breaches.

So why haven’t 8 of the 12 breaches been reported to HHS? has filed under Freedom of Information to ask whether HHS received reports on these incidents but has received no response from HHS as yet.

In answer to the second question:  none of these breaches seem to show up on publicly available state regulator web sites that list breach reports. Because some of these entities are in California, and because California requires breach notification for medical, you might think that we’d see some of these on California’s breach list, but no. So has filed public records access requests with both the California Attorney General’s Office and with the California Department of Public Health for any breach reports for these incidents. We have received no response as yet (SEE UPDATE, BELOW).

As to the third question about notification to patients, could only find confirmation of patient notification for  the incidents reported to HHS and for the Little Red Door Cancer Services of East Indiana. Other entities did not respond to this site’s inquiries as to whether they had notified their patients, and this site could find no substitute notices or public notices, although it’s possible the notices were in local media not indexed by Google.

Of note, however, did contact patients of some of these entities, who claimed that they either did not receive, or did not recall receiving, any notification from at least two of the entities: Aesthetic Dentistry in New York City and Coliseum Pediatric Dentistry in Virginia. Neither entity had responded to inquiries from this site as to whether they had notified patients.

So here’s my request to the public:

If you were affected by one of the TDO incidents listed below, did you receive a notification letter from the doctor’s office or group about it?  You can use the comments section to answer, but if you have a notification letter you can send me, let me know.

And depending on the answers we get to the questions in this post, perhaps we should add one more question:

What, if anything, will HHS and state regulators do if they learn that entities have not reported breaches to them and/or to patients?  Will this get swept under a rug because the HHS breach tool is viewed by some as “too punitive?” Or will someone actually investigate to see whether patient information had been reasonably protected and patients notified of any breach? 

Update 1 July 6:  On June 23, filed public records requests with the California Attorney General’s Office and California Department of Public Health (CDPH), requesting any records filed by the following entities under California Civil Code Sections 1798.29 or 1798.82, or California Health and Safety Code Section 1280.15:

  • Feinstein & Roe
  • La Quinta Center for Cosmetic Dentistry
  • Dougherty Laser Vision
  • OC Gastrocare

On June 30, the California DOJ declined the request, responding, “We have not located any records responsive to your request.”

So none of those four clinics reported any alleged breaches to the DOJ and as of today, only one of seven entities (Tampa Bay Surgery) has reported anything to HHS. subsequently obtained confirmation from reliable sources with firsthand knowledge who confirmed that OC Gastrocare had not reported any incident to HHS, to the state, or to any patients.  It is this site’s understanding that they are actively investigating the claimed hack.

Other entities contacted by did not respond to inquiries.

About the author: Dissent

4 comments to “Irony: When blackhats are our only source of disclosure for some healthcare hacks (Update1)”

You can leave a reply or Trackback this post.
  1. diane - June 27, 2017

    I just received a letter from Tampa Bay Surgery Center a few days ago .. stating the files of my minor son’s (12 at the time. he’s 22 yo today) have been compromised … so not only is his personal information at risk so is mine. Not happy, the only thing that has changed is the insurance carrier information .. address, phone #, social security#’s and banking information all remain the same.

    • Dissent - June 28, 2017

      Thanks, Diane, and I’m sorry you and your son are going through this. Did the letter say when the hack actually occurred and when and how they found out about it, etc.? If it’s something you can scan in, I’d really love to see it: [email protected].

  2. Trent - July 7, 2017

    HIPAA is ridiculous.

    It forces CE’s large and small (and their business associates) to do gymnastics and jump through hoops in order to secure their networks and get “compliant”, yet these CE’s still get attacked, they still suffer breaches.. Due to a reporting system that relies a great deal on self-policing, many CE’s don’t even bother to report. Either that’s because they’re petrified of a massive HIPAA penalty or they’re being told not to report by investigative agencies. I think HIPAA needs to be amended with language that severely penalizes CE’s who don’t report their security incidences to HHS. HIPAA is over 20 years old now, and so many CE’s STILL refuse to get on board with it. They simply don’t care enough about personal privacy, and they should be punished for it. It’s either that or laws have to change that force healh agencies to scrub their databases of the most critical personally identifiable information and switch to EHR systems where identities are stored as a dynamic hashed value, created and indexed at the state or federal level… Essentially, a national or even a state/municipal health ID number and that’s all you get to store in a local database beyond first/last name. Do that and you’d instantly stop the problem of privacy breaches at covered entities.

    • Dissent - July 8, 2017

      I have contacted HHS about entities that did not report breaches to them – although it’s not always possible for me to determine with 100% confidence whether some entities are even covered by HIPAA.

      I do not see where HHS/OCR has ever investigated any of those entities. The closest HHS/OCR has come to any penalty is for late notification. But that still lets those who didn’t notify at all get away with it. I agree with you – we need to see stiff penalties for failure to disclose (although I’m not sure I agree with the new policy on ransomware).

      And oh yeah – Justin Shafer repeatedly alerted HHS to breaches that have not been reported or disclosed.

      HHS *declined* to investigate them.

      I filed under Freedom of Information to find out *why* HHS did not investigate any of those complaints by Shafer.

      HHS has not responded at all to my Freedom of Information request.

      Stay tuned for the next steps.

Comments are closed.