Jul 282018

A blackhat hacker known as “Lifelock” had claimed Holland Eye Surgery and Laser Center knew about his hack two years ago but failed to disclose it to patients or HHS.  A follow-up investigation by DataBreaches.net uncovered evidence supporting his claim. The evidence has been turned over to federal regulators. 

On June 2, DataBreaches.net reported that Holland Eye Surgery & Laser Center in Holland, Michigan had been hacked by someone who calls himself “Lifelock.” DataBreaches.net first learned of the hack in April, when Lifelock contacted this site with proof of the hack, including databases with patient data. According to statements made to this site, Lifelock had tried repeatedly – but unsuccessfully for two years  – to get Holland Eye Surgery & Laser Center to pay him what he described as a fee for his “security services.” But they had not paid him, even after he had informed them that he was starting to sell some of their patients’ identity information on the dark web. Now, he claimed, he was giving up on getting any money from them, but he wanted them exposed because they had allegedly never notified their patients of the hack or that he had told them that he was selling patient data.

Knowing that this site was being gamed or used, but also believing that this site should report on breaches that put patients at risk, DataBreaches.net  reached out to Holland Eye Surgery to get their response to Lifelock’s claims. Within days of me letting them know that I would be reporting on the hack, they issued a media notice about the breach. That notice indicated that they were notifying patients. The incident subsequently showed up on HHS’s breach tool, too.

In response to the publication of my story, Lifelock sent the doctors’ external counsel a list of patients whose data he claims he had sold on the dark web. He also claimed that he was going to now delete all of their patients’ data that he had acquired (his statements can be found in the “Comments” section under the previous article about this incident).

But as it turns out, that was not the end of the story. The doctors’ media notice was in obvious conflict with what Lifelock had claimed in terms of when the doctors first found out about the breach and extortion demand. As I commented in that earlier article, the doctors’ claims that they first learned of the breach in March, 2018 and that Lifelock had concealed the scope of the breach until then made no sense to me. And so I found myself believing Lifelock and not the doctors, even though Lifelock had no hard proof he could offer to back his claims.

Curiosity aroused, I kept investigating. The proof of Lifelock’s claims ultimately came from the doctors themselves.

As part of my investigation, I had  filed under Freedom of Information for any reports filed with the state of Michigan about the incident, and I had also filed with the Holland Police Department, and sent an inquiry to the Mayor of Holland, Michigan.

The state of Michigan responded that they had no responsive records. The Mayor of Holland, whom Lifelock alleged had  become a victim of fraud because he wanted to get her attention, did not reply at all to my inquiry.  The Holland Police Department, however, provided me with a heavily-redacted report on the incident. And that’s when things got really interesting.

Although a lot of the report was redacted, perhaps the most significant aspect of the report was when it was filed. The report had been filed on July 1, 2016. So – and as Lifelock had insisted to me – Holland Eye Surgery’s doctors had known about both the hack and the extortion demand by July 1, 2016, even though in their May media notice, they would claim that they first found out in March, 2018.

The report taken by the police included a statement that the doctors  reported that they had been provided with convincing data by the hacker that the hacker had obtained personal information on patients and employees. An email from the hacker, redacted from the copy of the report provided to this site, was described in the report as being several pages in length and including a statement as to how much identity information the hacker had acquired from patients and employees.

From the police report filed by Holland Eye Surgery & Laser Center on July 1, 2016An employee told the police that the information was consistent with what the employee knew about the named people and “very credible.” 

The doctors also reported that the hacker was demanding $100,000 as payment. While the amount differs from what Lifelock had claimed in communication with this site, what is significant is that on July 1, 2016 Holland Eye Surgery and Laser Center informed the police that they had received an email with evidence of a hack and an extortion demand.

The report by the police was subsequently updated after Holland Eye Surgery reported that they had received a subsequent communication from the hacker on July 6, 2016 stating that patient data would be sold on the dark web if they didn’t pay up by July 8, 2016.  They didn’t pay, and they never found out what patient data might have been sold until after my first report appeared and Lifelock then sent them a list of patients whose data he claims he sold back in 2016.

But importantly, Lifelock was right: they first learned of the hack in July, 2016. They had been receiving his communications and demands, even if they did not reply to them.

So why wasn’t the hack and extortion demand reported to HHS in July, 2016?  

Why wasn’t this hack reported to the patients in July, 2016?

DataBreaches.net reached out to Holland Eye Surgery & Laser Center for a statement in response to those questions and to inquire whether any patients had come forward to claim that they had become victims of fraud or identity theft after they first notified patients.  Holland Eye Surgery did not reply to the inquiry.

DataBreaches.net then reached out to their external counsel at McDonald Hopkins with those questions.  They, too, did not reply.

DataBreaches.net has submitted its findings to HHS/OCR with a request for investigation.

OCR generally does not investigate complaints of breaches that occur more than six months prior to a complaint, but if the breach was covered up for years, shouldn’t that be worth investigating? DataBreaches.net believes that the more than 42,000 patients who were never warned that their identity information was in the hands of a criminal deserve an explanation as to why the doctors they trusted with their protected health information never warned them after the hack.  DataBreaches.net believes that patients should have been notified that the hacker was claiming to be selling patients’ identity information on the dark web so that they could take steps to protect themselves.

And DataBreaches.net also believes that OCR must take enforcement action if entities not only fail to disclose breaches but then lie in their HIPAA-required notifications about when they first learned of a breach. Coverups, if OCR determines that the term is applicable here, cannot be rewarded and need to incur severe monetary penalties.

If you were a patient at Holland Eye Surgery and Laser Center and became a victim of fraud or identity theft after July 1, 2016, please contact this site via email to [email protected] We’d love to hear your story.

Jun 022018

After his victim allegedly didn’t respond to his repeated demands for a “security fee,”  a hacker accuses the victim of covering up a hack for almost two years. 

One of the breaches added to HHS’s public breach tool this past week is a breach reported by Holland Eye Surgery and Laser Center in Michigan. The incident is noted on HHS’s breach tool as a hack affecting 42,200 patients.  But according to the self-identified hacker, there’s more to this story than the covered entity has disclosed.

In early April, DataBreaches.net was contacted by a hacker who had contacted this site in the past about a hack of a dental practice. He is known to this site as “Lifelock,” and signs his communications as “Todd Davis,”  aka “Lifelock.” After his first contact with this site in the Yaley case, DataBreaches.net did find him on some dark web markets as Lifelock, selling identity information and “fullz.”

According to Lifelock’s statement to this site: in June, 2016, he hacked Holland Eye Surgery & Laser Center in Holland, Michigan. He then reportedly contacted them and demanded a “security fee” of $10,000.00 for helping them secure their patient data. As he related it to this site:

I invoiced them a fee of 10000 USD a fair payment for my time and to help them secure their data. They turned off access immediately to the RDP server so I know they received communications from me. Over the course of weeks I requested them to pay my invoice to secure their patient data. They never once acknowledged me. But I am very persistent and communicate with staff members, faxes and all means where i can verify delivery. These pricks want to cover up the incident.

When the doctors didn’t pay his “security fee,” he claims he followed through on a threat he had made:  he began selling small amounts of their patients’ data on the dark web – first on AlphaBay, and then later on, on TradeRoute. He claims that each time he did, he informed or taunted the doctors that he was selling their patients’ information.

According to his statements to this site, Lifelock sold more than 200 patients’ information, but still,

the practice did not inform Michigan or HHS authorities that the data had been breached. Their patients had no fair warning that the data had been breached. I setup banks for dirty money transfers in these peoples names, my buyers used them for identity protection for when arrested, and to make cell phone accounts to purchase 5 iphones at a time from Verizon, ATT et al.

I have contacted the practice at least 30 times over the past 2 years to do the right thing for their patients.

As part of the proof he provided to this site, Lifelock included two databases: one called patients.csv, with 202,163 records and one called person.csv, with 42,229 records.  The files are date-stamped June 26, 2016. Holland Eye’s report to HHS seems to correspond to the number of patients in the person.csv file, but it is not clear what happened to all the people who had data in the patients.csv file. That database has names, addresses, insurance information, and some other fields. DataBreaches.net sent an inquiry to Holland Eye’s external counsel asking for an explanation on that point, but did not receive an immediate response. This post will be updated if an explanation is received. UPDATE of June 4: Lawyers for Holland Eye responded to this site’s inquiry: “We investigated the patients.csv file you have a copy of and determined that there is not anyone in it who was not also in the person.csv file. The patients.csv file merely has more than one line item for many individual patients. In short, these people were included in the report to HHS.”  DataBreaches.net appreciates their clarification.

In any event, according to Lifelock, in March of this year, Lifelock contacted the doctors yet again, and also contacted the mayor of Holland, Michigan, Nancy De Boer. Shortly after those unsuccessful attempts, he contacted DataBreaches.net, claiming that his goal was now to get the patients notified and the doctors exposed and shamed for allegedly covering up the breach:

Please find a way to let the people of Holland know that they have been breached and that the people who swore a hippocratic oath to do no harm, have done them immense harm. Further that the people who are supposed to be in charge do not have their best interests in mind and would rather suckle the cocks of the rich Dutchmen rather than inform the common rabble of their plight.

The reference to “people in charge” appears to be a response to his attempt to get a response from Mayor De Boer. According to Lifelock, when he contacted her in March:

She did not respond until I opened multiple lines of credit in her name, utility accounts, EIN’s, etc… She did respond, and appeared to take the breach seriously, but her motive was to find my identity rather than help the people of her town. She used a silly technique of embedding a tracking image to try and find me.

On May 16, after confirming that the breach had never been reported to HHS or the state of Michigan, DataBreaches.net sent Holland Eye Surgery a detailed message about the hacker’s claims with a request for a response.

On May 18, two days later and almost 60 days after they claimed to have first learned of the breach, the practice issued a media notice in the Holland Sentinel.

In that notice, they claim that they first learned of the breach on March 19, 2018 when they were contacted by someone claiming to be a pentester who informed them that he had their patients’ data and had sold some of it.

External counsel for the doctors later confirmed to DataBreaches.net that the “pentester” signed his communication in March as “Todd Davis.”

Notice of May 18 in Holland Sentinel. Courtesy of Holland Sentinel.

According to their media notice, then, although the practice appears to acknowledge that they had been hacked in 2016 and that the hacker was in possession of their patient data, they claim that the hacker “concealed the extent of his or her access until the recent email communications in March 2018.”  That, of course, is disputed by Lifelock’s claims, but this site has no proof of his claims as to any contacts prior to March, 2018. When asked for proof of any early emails, Lifelock had replied:

Unfortunately my original communications to HE have been deleted when sigaint.org went down. I normally delete communications frequently as I am not wanting to have excess evidence should Europol\RCMP\ICR\Scotland Yard et al kick in my door one day. My normal intent is not journalism unfortunately. I will look to see if I can find old email addresses I used and see if there is any evidence. Some email addresses as you can imagine get eliminated for TOS abuses. Sadly Gmail doesn’t like its services to be used for extortion schemes.

Lifelock never provided any additional evidence after that communication. That said, the doctors’ version makes little sense to this blogger, while Lifelock’s version does make sense.

Why would a hacker hack them in June, 2016 and then wait almost two years to first contact them with a (“security fee”) demand? Lifelock’s claims that he hacked them, promptly tried to extort them for a “security fee,” and then upped the pressure on them (or tried to) by selling patient data and letting them know that he was doing that makes a lot more sense, and we’ve certainly seen that scenario before.  TheDarkOverlord (TDO) frequently used such methods – releasing small amounts of patient information or claiming to have sold it – to increase pressure on their victims.

So… is this site being gamed by Lifelock to seek revenge on a reluctant victim or to send a message to other victims to pay up or face public exposure? Perhaps, but if his claims are true, then the doctors covered up a breach for almost two years and knowingly left their patients at risk.  But are his claims true? This site has no evidence or confirmation of the crucial claim that Holland Eye first became aware that they had been breached in June, 2016. Perhaps that is something that OCR should investigate.

DataBreaches.net contacted the Holland Police with a freedom of information request for the police report and any associated records, but has received no response as yet.  This site also contacted Mayor Nancy De Boer’s office to request a statement, but did not get any response.

Holland Eye’s media notice makes clear that they have contacted patients whose Social Security number was involved and offered them credit monitoring services. They have provided all patients with advice on how to protect themselves and to check their statements for signs of information misuse. And as noted at the outset of this report, they have notified HHS.

This post will be updated if more information becomes available.