Patient info from Missouri clinic hacked by TheDarkOverlord remains online and available. Why?
In a post yesterday, I reported that protected health information and identity information of patients of Athens Orthopedic Clinic that had been leaked online by hackers remained available to anyone who knows where to look for it.
Although it’s frustrating and understandably worrying to patients, I give AOC credit that they tried to find the leaks and plug them. I think patients of another victim of TheDarkOverlord have more cause to be upset with their provider, who neither responded to two notifications from this site that their patients’ information was leaking online nor got the records removed from public view.
On June 29, this site contacted Midwest Orthopedic Pain & Spine* in Farmington, Missouri, to alert them that TheDarkOverlord (TDO) had leaked some of their patients’ data. They never responded nor asked me where the data had been dumped. Again on July 23, this site contacted them through their web site contact form to alert them that the patient data was still exposed on Pastebin and to ensure they had the url. Again, I got an auto-responder but no real response.
In that July 23 message through his site, I wrote, in part:
I am a journalist who contacted you in the past, but got no response. I wanted to make sure that you are aware that your patients’ PHI was dumped on Pastebin weeks ago at http://pastebin.com/[redacted].
I don’t know why you haven’t sought to have it removed. Is there some reason you haven’t contacted Pastebin? They have procedures for removing such things if the entity requests it via email, and they’re usually pretty fast. Your patients’ data have already been downloaded dozens of times, it would seem, so I’d encourage you to seek removal asap before more damage might be done to them – unless law enforcement has advised you otherwise, of course.
The Pastebin url is redacted for now in the above message because, despite my messages to them of June 29th and July 23, that June 29th paste – with 499 patients’ information – is still available to anyone who knows where to look for it. It has now been viewed 96 times.
Another copy of the same data is also still available on Pastebin and has been viewed 192 times.
The patients whose data were exposed in those duplicate pastes are those whose last names begin with the letter “A” and “B.” The types of data in the records may include name, Social Security number, date of birth, address, landline and cellphone number, and other details.
On July 23, after sending the message to Midwest, I discovered another paste, dated that day, that contained an additional 1,006 patients’ records in the same format. Here are the headings of the data fields:
Record #,Pat.Act.#,Active,Last Name,First Name,MI,Suf.,Address Line 1,
Address Line 2,City,State,Zip,SSN,DOB,Sex,Mar.,Stu.,Email,Home Phone,
Work Phone,Cell Phone
And here is a screenshot – redacted by this site – showing that data were available to anyone who knows where to look for it.
DataBreaches.net has today requested removal of the three pastes with patient data from Midwest Orthopedic Pain & Spine, but Midwest’s lack of response and inaction should be investigated by HHS and perhaps the Federal Trade Commission.
If readers are aware of other patient data leaks that are still online, please let me know. Not all pastes can be removed (some sites have no removal policy), but Pastebin does have a removal policy and it should be possible to get patient data removed from that site if it’s been uploaded there.
* The medical group reportedly includes Midwest Imaging Center, LLC; Van Ness Orthopedic and Sports Medicine, Inc.; Mineral Area Pain Center, P.C.; Select Pain & Spine; Dr. Christopher T. Sloan, D.P.M.