MO: A second TheDarkOverlord target confirms hack (updated)

In the past 24 hours, two of TheDarkOverlord’s targets have publicly acknowledged breaches previously reported by this site.

Yesterday, it was the Athens Orthopedic Clinic in Georgia who issued a public statement (previous coverage). Today, it’s a group of clinics in Farmington, Missouri (previous coverage). Daily Journal Online reports:

The medical group which includes Midwest Imaging Center, LLC; Van Ness Orthopedic and Sports Medicine, Inc.; Mineral Area Pain Center, P.C.; Select Pain & Spine Dr. Christopher T. Sloan, D.P.M. sent letters to patients earlier this week stating a data breach was discovered.

“We write to inform you that our practice discovered a data breach on May 27, 2016 that may have contained personal health information and have been investigating the exact nature and scope of the information obtained by the hackers since,” the letter reads. “To date, our investigation has determined that on May 4, 2016, a hacker, or hackers, likely gained access into our secured database system through a third party contractor and may have obtained some personal information of our patients including: names, addresses, social security numbers, date of births, diagnoses, lab results, other medical records, and potentially some financial information.”

Read more on DailyJournalOnline.

Of note, both entities made mention that the attacker likely got access by an unnamed third party contractor. Also of note, neither entity mentioned the ransom demands or that patient data was being dumped in public and was still up for sale on the dark net. I’m not sure how well patients can really protect themselves if they don’t know the full scope of a situation.

Hopefully, the letters sent to patients provide additional information.

The two entities have not responded totally similarly, however. This site contacted both entities several times over the past month, in some cases to alert them that their patients’ information had been dumped on Pastebin, and that they could get it removed by following Pastebin’s procedures.

Athens Orthopedic Clinic responded promptly to the notification (they were already aware of it, it appears), and got the paste(s) removed. Dr. Van Ness did not respond to repeated alerts, however, and his patients’ information remains exposed on Pastebin. I will not link to the exposed data, but I have autoresponses from Midwest Orthopedic Center dated June 29th to my first notification. On July 23, weeks later, I sent them another message through their site:

I wanted to make sure that you are aware that your patients’ PHI was dumped on Pastebin weeks ago at [redacted].

I don’t know why you haven’t sought to have it removed. Is there some reason you haven’t contacted Pastebin? They have procedures for removing such things if the entity requests it via email, and they’re usually pretty fast.

Your patients’ data have already been downloaded dozens of times, it would seem, so I’d encourage you to seek removal asap before more damage might be done to them – unless law enforcement has advised you otherwise, of course.

Other than autoresponses, I received no response, and as of today, the data are still exposed.

I don’t know what the FTC or OCR would say about this, but as part of incident response, shouldn’t entities be looking for such data dumps and trying to get them removed? And if you don’t know about it, and someone takes the time to alert you not once, but twice, shouldn’t you do something?

Seriously: even if for some reason, they never read the messages submitted through their own site’s contact form, once they knew they were hacked, shouldn’t their incident response have included searching their name for reports or stories on the internet? Had they done so, they would have found some of my previous coverage and the paste situation mentioned. So they had at least three ways to find out and do something about it, but have done nothing?

I would love to hear their explanation for this part of their breach response. If I were one of their patients whose personal information has been sitting exposed since June 29, I’d be ticked off at them for that, because yes, name, date of birth, Social Security number, and other personal information have all been dumped.

Update Aug. 3: When this was reported to HHS, it was reported as affecting 29,153 patients, considerably less than what TheRealDeal Market listing indicated of 48,000 patients. It is not clear whether the 29,153 figure is for all of the associated facilities or just the Midwest Orthopedic & Spine entity.

About the author: Dissent