Peachtree Orthopedic Clinic notifies patients of hack (Update3)

Months after it was hacked by TheDarkOverlord, a second Atlanta orthopedic clinic notifies patients.

Peachtree Orthopedic Clinic in Atlanta has disclosed that they were hacked. WSBTV has the story. But the hack wasn’t on September 22 as the news cast seems to suggest – that’s just when they confirmed it.

This is all quite interesting, because I had reported on August 15 that they were investigating and the FBI was assisting. And as I noted in my report back then, everything I knew and had uncovered pointed to this being the work of TheDarkOverlord, who had actually given me the first clue to the breach at the end of June.

So when was Peachtree actually hacked? And did the hack exploit RDP, some patient management software, or was this a case of a patient records management vendor having compromised credentials?

There’s a lot more to ask Peachtree Orthopedic. Maybe this time, their external counsel won’t call me to tell me I’ve got wrong information. We’ll see…

In the meantime, here is their notice from their web site:

Patient care is at the center of our mission and we take seriously the confidentiality of the information we hold. We regret to inform you that on September 22, 2016 we confirmed an unauthorized intrusion into our computer system. We took immediate action and are working closely with forensic experts and the FBI to investigate and address the situation.

While our investigation is ongoing, we have found evidence indicating that information such as patient names, home addresses, email addresses, and dates of birth was potentially taken. In some cases the patient’s treatment code, prescription records, or social security number may also have been taken.

If you were a patient at Peachtree Orthopaedic Clinic prior to July 2014, you may be affected. In a small number of cases, patients who visited Peachtree Orthopaedic Clinic after July 2014 may also be affected.

Our investigation is in its early stages, but we felt it was important to communicate what we know at this time. We regret any anxiety or frustration that this causes you and are committed to supporting you.

We are reaching out directly to those affected via mailed letters and are offering one year of free identity protection services, including credit monitoring for affected individuals. In this letter, we will also outline other steps you can take to protect your identity, as well as information on how to access the free identity protection services.

If you have any questions, we have established a dedicated call center, which can be reached by calling (844) 801-5973 between 9 a.m. and 9 p.m. ET, Monday-Friday.

Thank you for your patience and understanding as we work through our investigation and try to provide you the best information and support that we can. We will share further information as we are able.


Mike Butler

CEO, Peachtree Orthopaedic Clinic

Update 1:  Later today, TDO issued a press release with some patient information and a link to a dump of some internal documents. But then, I never doubted they did this one. I assume that they’re trying the same failed strategy of naming entities and dumping some sensitive data to put pressure on the entity to pay an extortion demand, which they acknowledge they made.

From their statement today:

It all began many months ago when we acquired 543k patient records which contain both PII and PHI – well before the date of breach notice and alleged date of breach. 543,879 records for anyone counting. Oh, the things one could do with so much data! Some of you have been so kind as to suggest what to do with it all (Hello, ICIT!).

After letting the records collect dust in a folder somewhere for months, we went to Peachtree Orthopedics – like Athens Orthopedic – and proposed a solution to the dilemma – we have data that they don’t want to us to have. With us both running a business, we hoped for a speedy resolution so we can go our separate ways – it was anything but.

I’m not reproducing the rest of their release, but looking at the internal documents, it looks like it was exfiltrated on or about May 18. That makes sense given that TDO first told me on June 29 about a hack of an Atlanta clinic with Atlanta Braves players’ info.

But if the data were hacked in May, when did POC first discover the breach? In mid -August, one of their employees told me that they had been investigating with the assistance of the FBI. But how did they first learn of the breach, and when? How is it that they were unable to confirm the breach until September 22? When did TDO first contact them with their extortion demand?

Update2: I just took at look at the internal docs TDO dumped. There are some tax return-related data, a bunch of insurance billing codes, some personal information on patients and staff, a copy of the liability insurance policy, a file curiously named or renamed “CV of doctor to ransom.pdf,” and  a plain text file with the names of insurance companies, their tax ID number, and the login credentials to every insurance site. The login credentials are pretty pathetic. Here are just a few, because I would hope that they have changed them already since they’ve known about the hack for a while:

Password: BILLING2001
Login: poc2001      Password: billing01

Log In:     bpoc         Password: billing1

Log In: ORTHO2001
Password: 2001billing

Update3: This breach was reported to HHS on November 18 as affecting 531,000 patients.


About the author: Dissent

11 comments to “Peachtree Orthopedic Clinic notifies patients of hack (Update3)”

You can leave a reply or Trackback this post.
  1. Regret - October 13, 2016

    “[E]xternal counsel, Richard Sheinis of Hall, Booth, Smith, P.C.” might have some ‘splaining to do to the Braves organization and other POC patients in that he personally knew of the likelihood of a breach 2 months before the patients were notified. Might be that some bookmakers would see to know the prescription records of Braves players.

    But yay: “one year of free identity protection services;” all is forgiven.

    • Dissent - October 13, 2016

      From the data dump that TDO just released, it looks like at least some of the data was exfiltrated on May 18 or thereabouts. And TDO is claiming 543k records. I just updated the post.

      The thing I find most suspicious is POCs’ claim that most of the patients are prior to July, 2014. That would be a departure from what TDO has done in the past. I’m hoping TDO will give me more details.

      • Justin Shafer - October 13, 2016

        EXACTLY! Here I was blaming old acquaintances for all of the problems TDO causes, and then I see May 18th… and think… or not. But then they said before 2014… and… Who the hell knows.

    • betty duperray - October 17, 2016

      Well, I was also hacked and just spent the better part of today trying to subscribe to their offered free identity protection program. The website didn’t work, called the hot line who gave me a phone number and phone activation numbers that also didn’t work. Called call center back asked for a supervisor, spent 10 more minutes on hold then was told they would call me back. stay tuned to see if that actually happens and if it does, if it finally works. Their promised 15 minutes to sign up has so far cost me 2+ hours with no solution.

  2. Anonymous - October 14, 2016

    Would the hacker’s primary goal be the records of the Braves? I personally have not been in there since 2006, when Dr. Loughlin was still alive! Is there anyone I should notify, such as my banks, etc?

    • Dissent - October 14, 2016

      If the primary goal was the Braves’ records, then I might have expected them to try to extort the Atlanta Braves organization pretty quickly after acquisition of the records. To my knowledge, TDO didn’t do that, but maybe I just don’t know about it.

  3. Jane Doe - October 15, 2016


    i used to work in the IT department at Peachtree Orthopedic Clinic. They were very poorly ran and very very insecure from an IT standpoint.

  4. Anonymous - October 26, 2016

    This is amazing. My PII and PHI info out there and I get a year of free credit monitoring? Gee thanks Peachtree Ortho! That sure put my mind to rest…. not!
    And what about in 2 or 3 years? I’ll still have the same PII! I think there response and action to correct is FAR below what should be done. They had a responsibility to protect this info and they didn’t. They messed this up. And the patients are paying the price

    • Brian Scott - October 31, 2016

      Has anyone on this blog filed complaints with the FTC to investigate the possibility of negligence on the part of Peachtree Ortho. Nothing will change otherwise..

  5. Anonymous - October 31, 2016

    has anyone filed complaints with the FTC on Peachtree Ortho yet??

    • Bria Scott - November 2, 2016

      affected people need to file a complaint with ftc and the us dept of health and human services office of civil rights 800-368-1019 in order to get an investigation of the possibility of negligence started. this breach allowed theft of medical records which is a violation of HIPAA laws.

Comments are closed.