Months after it was hacked by TheDarkOverlord, a second Atlanta orthopedic clinic notifies patients.
Peachtree Orthopedic Clinic in Atlanta has disclosed that they were hacked. WSBTV has the story. But the hack wasn’t on September 22 as the news cast seems to suggest – that’s just when they confirmed it.
This is all quite interesting, because I had reported on August 15 that they were investigating and the FBI was assisting. And as I noted in my report back then, everything I knew and had uncovered pointed to this being the work of TheDarkOverlord, who had actually given me the first clue to the breach at the end of June.
So when was Peachtree actually hacked? And did the hack exploit RDP, some patient management software, or was this a case of a patient records management vendor having compromised credentials?
There’s a lot more to ask Peachtree Orthopedic. Maybe this time, their external counsel won’t call me to tell me I’ve got wrong information. We’ll see…
In the meantime, here is their notice from their web site:
Patient care is at the center of our mission and we take seriously the confidentiality of the information we hold. We regret to inform you that on September 22, 2016 we confirmed an unauthorized intrusion into our computer system. We took immediate action and are working closely with forensic experts and the FBI to investigate and address the situation.
While our investigation is ongoing, we have found evidence indicating that information such as patient names, home addresses, email addresses, and dates of birth was potentially taken. In some cases the patient’s treatment code, prescription records, or social security number may also have been taken.
If you were a patient at Peachtree Orthopaedic Clinic prior to July 2014, you may be affected. In a small number of cases, patients who visited Peachtree Orthopaedic Clinic after July 2014 may also be affected.
Our investigation is in its early stages, but we felt it was important to communicate what we know at this time. We regret any anxiety or frustration that this causes you and are committed to supporting you.
We are reaching out directly to those affected via mailed letters and are offering one year of free identity protection services, including credit monitoring for affected individuals. In this letter, we will also outline other steps you can take to protect your identity, as well as information on how to access the free identity protection services.
If you have any questions, we have established a dedicated call center, which can be reached by calling (844) 801-5973 between 9 a.m. and 9 p.m. ET, Monday-Friday.
Thank you for your patience and understanding as we work through our investigation and try to provide you the best information and support that we can. We will share further information as we are able.
CEO, Peachtree Orthopaedic Clinic
Update 1: Later today, TDO issued a press release with some patient information and a link to a dump of some internal documents. But then, I never doubted they did this one. I assume that they’re trying the same failed strategy of naming entities and dumping some sensitive data to put pressure on the entity to pay an extortion demand, which they acknowledge they made.
From their statement today:
It all began many months ago when we acquired 543k patient records which contain both PII and PHI – well before the date of breach notice and alleged date of breach. 543,879 records for anyone counting. Oh, the things one could do with so much data! Some of you have been so kind as to suggest what to do with it all (Hello, ICIT!).
After letting the records collect dust in a folder somewhere for months, we went to Peachtree Orthopedics – like Athens Orthopedic – and proposed a solution to the dilemma – we have data that they don’t want to us to have. With us both running a business, we hoped for a speedy resolution so we can go our separate ways – it was anything but.
I’m not reproducing the rest of their release, but looking at the internal documents, it looks like it was exfiltrated on or about May 18. That makes sense given that TDO first told me on June 29 about a hack of an Atlanta clinic with Atlanta Braves players’ info.
But if the data were hacked in May, when did POC first discover the breach? In mid -August, one of their employees told me that they had been investigating with the assistance of the FBI. But how did they first learn of the breach, and when? How is it that they were unable to confirm the breach until September 22? When did TDO first contact them with their extortion demand?
Update2: I just took at look at the internal docs TDO dumped. There are some tax return-related data, a bunch of insurance billing codes, some personal information on patients and staff, a copy of the liability insurance policy, a file curiously named or renamed “CV of doctor to ransom.pdf,” and a plain text file with the names of insurance companies, their tax ID number, and the login credentials to every insurance site. The login credentials are pretty pathetic. Here are just a few, because I would hope that they have changed them already since they’ve known about the hack for a while:
Log In: PEACHTREE2001
Login: poc2001 Password: billing01
Log In: bpoc Password: billing1
Log In: ORTHO2001
Update3: This breach was reported to HHS on November 18 as affecting 531,000 patients.