Prosthetic & Orthotic Care patient info remains publicly exposed

First, a quick update on the Athens Orthopedic Clinic breach:

It took two requests, but I’m pleased to report that Pastebin removed three pastes with over 1,350 patients’ information. Those pastes were separate from an earlier paste with an additional 500 patients’ information. News outlets that continue to report that 500 patients’ information was exposed and put up for sale are, to be blunt, reporting inaccurately.  Every AOC patient’s’ data was up for sale on the dark web, and the hackers claimed to have sold some of it (a claim that this site has no way of confirming or disputing). In addition, almost 2,000 AOC patients had their information on an easily accessed public site (Pastebin) where anyone could view it and copy it. For those unfamiliar with these things, Pastebin is on the web, not the dark web.

Following publication of my article that their patient data was still exposed on Pastebin,  AOC did not contact this site to ask where the data could be found so that they could take steps to get it removed. Nor did they contact this site to say thank-you for this site’s efforts to get THEIR patients’ information out of public view. Just so you know.

But today, in going through my notes, I realized that there’s still another paste up on Pastebin from another victim of TheDarkOverlord. This paste has data that appears to be from 499 patients of Prosthetic & Orthotic Care

On July 9, I had reported on the P&O breach.  In my report, I noted that I had made several attempts to notify them and speak to them, but they had not responded constructively. I even noted:

As of yesterday, some of their patients’ data had been dumped on a public paste site, and then there were those pictures…

P&O Care never got back to me. And like Athens Orthopedic Clinic, P&O Care never even asked me for the urls of any paste I had discovered. Maybe if they had contacted me or asked, they could have had the paste removed. Instead, it has been online since July 9 and has been viewed 181 times. There are 499 records in that paste with names, addresses, telephone numbers, insurance information, treatment codes, Social Security numbers (embedded in Medicare numbers), and more. The extent of information varies across patients, but it’s enough to cause problems.

DataBreaches.net has today submitted a request to Pastebin seeking removal of this paste, but seriously, getting these pastes removed is the responsibility of the breached clinics – not this site.

Update Aug. 28: The data are still publicly available.

Update Aug. 30: The data are still publicly available and I’ve sent a second request to Pastebin to remove it. I had also notified the clinic the other day, but once again, they did not respond. The paste has now been viewed 186 times.

Update Aug. 31: And finally, it’s gone.

About the author: Dissent