On June 26, DataBreaches.net reported that several databases with patient information had allegedly been hacked and put up for sale on the dark net by hackers calling themselves TheDarkOverlord (TDO). This site subsequently identified one of the entities as the Athens Orthopedic Clinic in Georgia, and contacted them to alert them that it appeared that they had been hacked.
On July 25, AOC publicly acknowledged that they had been hacked and patient data stolen. Their notification came just days after 500 patients’ information was leaked on Pastebin with a note to the CEO to “pay the f**k up.”
The warning was in reference to a ransom demand of 500 BTC that had been made by TDO on June 27th. At the time, that sum converted to about $335,000. By the hackers’ calculations, AOC could protect the patient data from disclosure for about $1 per patient, which is considerably less than it would cost AOC to offer its patients credit monitoring services. Despite the bargain rate, the warning issued on Pastebin suggests that AOC was not complying with the ransom demand.
As I noted in my previous reporting, when AOC did confirm and disclose the breach, they did not publicly acknowledge that they had received any ransom demand. Nor did they disclose that patient data had already been leaked on Pastebin.
Today, more of AOC’s patient data was leaked on Pastebin. As is my policy, DataBreaches.net is not linking to the pastes. There may be more pastes than this site currently knows about, but at least 1,500 more AOC patients apparently had their information leaked today.
In an encrypted chat with a spokesperson for TDO who declined to provide his individual nick or role in the hack and extortion demands, DataBreaches.net was told that TDO has already been selling the data on the dark net. The sales, they claim, would not show up on TheRealDeal Market (TRD), which they say they mainly use as a listing service.
According to the spokesperson, TDO sells data, gives the buyer a chance (time) to misuse it, and then leaks the data publicly so others can also misuse it. If the spokesperson is being truthful (DataBreaches.net has no way to confirm or disconfirm these claims), then every AOC patient whose data has been leaked on Pastebin had their information previously sold to criminals. The spokesperson also stressed that if the patient’s information has not appeared on Pastebin, it has not (yet) been sold.
So far, the TDO spokesperson claims, they have sold anywhere between 5,000 – 6,000 patients’ information.
DataBreaches.net asked AOC to respond to the hackers’ claims and reiterated a request for an explanation as to why they have not publicly acknowledged any ransom demand, and why they have seemingly not informed patients that their information has been leaked. In response, a spokesperson for AOC sent the following statement:
I’m unable to confirm any of what you write about what the hacker has recently told you. AOC continues to work with its team to take all available steps to mitigate the criminal actions of the hacker, to secure its system, and to inform its patients of what has happened. AOC reported the breach to both law enforcement authorities and to HHS and is in the process of fulfilling its notification requirements under HIPAA. As you know, we felt it best to get ahead of the official notification with early notice on AOC’s website, and toll-free line, as well as by providing you a quote early on and releasing information to a few select local media.
In terms of your previous question re ransom demands, we have said to those who ask that there have been attempts at extortion for ransom. As you have reported, paying ransom does not guarantee any further criminal activity will not take place.
We’ve asked Pastebin to take down all the dumps, as anyone can when they see illegal activity, as soon as we find out about them, and that has taken more than 24-48 hours for several.
So if patients know to ask about ransom or whether their data have been publicly leaked, they may find out, but otherwise…? DataBreaches.net continues to believe that HHS should address this issue as an interpretation of HITECH: should patients be informed of such developments so that they have adequate information to assess their risk?
In the meantime, TDO claims that they have been selling patient records for an average of $17.82 a record, with a low of $5.72/record to a high of $25 per record.
Today, because AOC missed the ransom deadline, TDO raised the ransom demand to 700 BTC. In a statement to DataBreaches.net, they say:
We are doing our best to ensure that our demands are either met or that further harm comes to AOC and their current and former patients. We hope that the current and former patients understand that Kayo Elliot has the power to cease all of this abuse and drama by satisfying our demands. We have been more than amicable from the beginning and have escalated as a result of non-compliance.
If the past is any predictor of the future, DataBreaches.net expects to see many more pastes of AOC patient data, and possibly all of the database, which, according to TDO’s listing on TRD, has records on almost 397,000 patients.
AOC patients should not only consider putting a security freeze on their credit reports, but should also be diligent about checking any explanation of benefits (EOB) statements they get from their health insurer, to see if there is any evidence that their insurance account information has been used for insurance fraud.