DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Extortion demand on Athens Orthopedic Clinic escalates as patient data is dumped

Posted on August 3, 2016 by Dissent

On June 26, DataBreaches.net reported that several databases with patient information had allegedly been hacked and put up for sale on the dark net by hackers calling themselves TheDarkOverlord (TDO). This site subsequently identified one of the entities as the Athens Orthopedic Clinic in Georgia, and contacted them to alert them that it appeared that they had been hacked.

On July 25, AOC publicly acknowledged that they had been hacked and patient data stolen. Their notification came just days after 500 patients’ information was leaked on Pastebin with a note to the CEO to “pay the f**k up.”

The warning was in reference to a ransom demand of 500 BTC that had been made by TDO on June 27th. At the time, that sum converted to about $335,000.  By the hackers’ calculations, AOC could protect the patient data from disclosure for about $1 per patient, which is considerably less than it would cost AOC to offer its patients credit monitoring services. Despite the bargain rate, the warning issued on Pastebin suggests that AOC was not complying with the ransom demand.

As I noted in my previous reporting, when AOC did confirm and disclose the breach, they did not publicly acknowledge that they had received any ransom demand. Nor did they disclose that patient data had already been leaked on Pastebin.

Today, more of AOC’s patient data was leaked on Pastebin. As is my policy, DataBreaches.net is not linking to the pastes. There may be more pastes than this site currently knows about, but at least 1,500 more AOC patients apparently had their information leaked today.

In an encrypted chat with a spokesperson for TDO who declined to provide his individual nick or role in the hack and extortion demands, DataBreaches.net was told that TDO has  already been selling the data on the dark net. The sales, they claim, would not show up on TheRealDeal Market (TRD), which they say they  mainly use as a listing service.

According to the spokesperson, TDO sells data, gives the buyer a chance (time) to misuse it, and then leaks the data publicly so others can also misuse it. If the spokesperson is being truthful (DataBreaches.net has no way to confirm or disconfirm these claims), then every AOC patient whose data has been leaked on Pastebin had their information previously sold  to criminals. The spokesperson also stressed that if the patient’s information has not appeared on Pastebin, it has not (yet) been sold.

So far, the TDO spokesperson claims, they have sold anywhere between 5,000 – 6,000 patients’ information.

DataBreaches.net asked AOC to respond to the hackers’ claims and reiterated a request for an explanation as to why they have not publicly acknowledged any ransom demand, and why they have seemingly not informed patients that their information has been leaked. In response, a spokesperson for AOC sent the following statement:

I’m unable to confirm any of what you write about what the hacker has recently told you. AOC continues to work with its team to take all available steps to mitigate the criminal actions of the hacker, to secure its system, and to inform its patients of what has happened. AOC reported the breach to both law enforcement authorities and to HHS and is in the process of fulfilling its notification requirements under HIPAA. As you know, we felt it best to get ahead of the official notification with early notice on AOC’s website, and toll-free line, as well as by providing you a quote early on and releasing information to a few select local media.

In terms of your previous question re ransom demands, we have said to those who ask that there have been attempts at extortion for ransom. As you have reported, paying ransom does not guarantee any further criminal activity will not take place.

We’ve asked Pastebin to take down all the dumps, as anyone can when they see illegal activity, as soon as we find out about them, and that has taken more than 24-48 hours for several.

So if patients know to ask about ransom or whether their data have been publicly leaked, they may find out, but otherwise…? DataBreaches.net continues to believe that HHS should address this issue as an interpretation of HITECH: should patients be informed of such developments so that they have adequate information to assess their risk?

In the meantime, TDO claims that they have been selling patient records for an average of $17.82 a record, with a low of $5.72/record to a high of $25 per record.

Today, because AOC missed the ransom deadline, TDO raised the ransom demand to 700 BTC. In a statement to DataBreaches.net, they say:

We are doing our best to ensure that our demands are either met or that further harm comes to AOC and their current and former patients. We hope that the current and former patients understand that Kayo Elliot has the power to cease all of this abuse and drama by satisfying our demands. We have been more than amicable from the beginning and have escalated as a result of non-compliance.

If the past is any predictor of the future, DataBreaches.net expects to see many more pastes of AOC patient data, and possibly all of the database, which, according to TDO’s listing on TRD, has records on almost 397,000 patients.

AOC patients should not only consider putting a security freeze on their credit reports, but should also be diligent about checking any explanation of benefits (EOB) statements they get from their health insurer, to see if there is any evidence that their insurance account information has been used for insurance fraud.

Category: Breach IncidentsCommentaries and AnalysesHealth DataOf NoteU.S.

Post navigation

← PA: Patient info taken from Mountaintop Area Medical Center
Data breaches at Advocate Health Care leads to biggest ever settlement →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Why Dumping Sensitive Data on Network Shares is a Liability
  • A militarily degraded Iran may turn to asymmetrical warfare – raising risk of proxy and cyber attacks
  • Pro-Russian hackers disrupt Dutch government websites ahead of NATO summit
  • Iran-Linked Threat Actors Leak Visitors and Athletes’ Data from Saudi Games
  • UK: Oxford City Council still investigating cyberattack from earlier this month
  • Steelmaker Nucor Says Hackers Stole Data in Recent Attack
  • People’s Republic of China cyber threat activity: Cyber Threat Bulletin
  • Ukrainian Web3 security auditing company Hacken suffered an attack that allowed a hacker to create 900 million HAI tokens
  • McLaren provides written notice to 743,131 patients after ransomware attack in July 2024 (2)
  • A state forensics lab was leaking its files. Getting it locked down involved a number of people.

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Sky Views Personal Data as a Potential Weapon in IPTV Piracy War
  • Florida Used a Nationwide Surveillance Camera Network 250 Times To Aid in Immigration Arrests
  • Federal Court Strikes Down HIPAA Reproductive Health Care Privacy Rule
  • The Markup caught 4 more states sharing personal health data with Big Tech
  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill
  • Officials defend Liberal bill that would force hospitals, banks, hotels to hand over data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.