St. Francis Health System hacked: TheDarkOverlord? (UPDATE)
TheDarkOverlord, who had hacked and attempted to extort a number of medical clinics in May – June, has seemingly reappeared [see UPDATES below this post], and claims to have hacked St. Francis Health System in Oklahoma:
Last week, we ransacked the web servers of Saint-Francis, a network of hospitals and clinics located in Tulsa, OK. We are now the proud owners of a large collection of medical and confidential records which we will release after Sunday unless we get paid 24 Bitcoins to this address: 17CF9LigWhxDnqPxX14rejcR1jhE3QGUJV
Being nice people, we offered Saint-Francis not to dump their data on the Internet in exchange for those 24 Bitcoins, which they so far declined to do. Because, why clean up your own mess, right? It’s not as if they left a giant gaping hole in their web application. OH WAIT, THAT’S EXACTLY WHAT THEY DID.
We do not care who pays us as long as those 24BTC are in our wallet by the end of the week. Whether you’re a concerned citizen, a patient from Saint-Francis or any other entity willing to help, we do not care. Our wallet is open to everyone.
If we do not get the amount the requested by Sunday, all of the data we downloaded will be posted on the Internet.
The Dark Overlord
Their statement was followed by some sample data from a “diabetes” table. Unhelpfully, they did not include field headers, so although it appears that there are names, addresses, dates of birth and other information, exactly what all the other information is is not totally clear. The data also appear to be old, from 2008.
A second sample is allegedly from a”ConsentsRecentlyGenerated” table. Those data appear to contain name, date of birth, and type of procedure being consented to, as well as the date and time and the name of the physician to whom consent was granted.
The hackers also posted some entry from a “Tips” table, which appear to be suggestions generated by employees as to how to improve patient satisfaction/experience.
At the time of this posting, St. Francis’s site is not responding.
DataBreaches.net has not yet attempted to confirm the authenticity of any data or claims, but will be following up on these claims.
Update 1: The hospital’s site is back online now and DataBreaches.net left a voicemail asking for information and confirmation or denial of the claimed hack. Of course, even if they confirm the hack, that doesn’t mean it was by the same actors who called themselves TheDarkOverlord. Notice that I had reported that they had “seemingly reappeared.” There are several things about the paste that make me wonder if this might be a copycat. If not, then at the very least, someone else has taken over the public statements and letter-writing. DataBreaches.net has been trying to make contact with TDO through previous channels to ask them to confirm or deny whether this was really their hack.
Update 2: I have been told by a source close to TheDarkOverlord that the Saint Francis hack was not by TheDarkOverlord and that TDO had told him that it wasn’t TDO. The same source would also like DataBreaches.net’s readers to know that he is extremely funny (I can actually vouch for that!) “a bit of a looker” and “charming.” Did I mention that I could vouch for him being extremely funny?