DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

“Hear Me Roar:” Kaiser Permanente-related site defaced by GOT fans

Posted on July 30, 2018 by Dissent
What you were supposed to see at healthinnovation.kp.org

Kaiser Permanente’s Health Innovations web site wasn’t looking too healthy on Friday. If you attempted to access the site, instead of seeing happy and healthy people and notices about becoming members, you might have seen a notice that the site had been “Hacked by Dohaeragon.” “Dohaeragon” is reportedly “serve” in High Valyrian, the fictional language on Game on Thrones.

KP’s Heatlh Innovation site was defaced by hackers.

And if you, too, are a fan of Game of Thrones (GOT), then you might have enjoyed the musical accompaniment to the defacement:  “Hear Me Roar.”

The defacement credited “Team Faceless Men” who allegedly consisted of Polatbey, Morghon, SoloKing, Claronomes, and KingOfNoobs. “Team Faceless Men” is also a reference to GOT, where they are a guild of assassins.

“Valar Dohaeris”. All men must serve. Faceless Men most of all.“

Kaiser Permanente was probably not amused, however, and within a few hours they had somewhat remedied the situation, although their “fix” appeared to be just moving the site to another IP address.

Whether or when they actually patched the site  is unknown to this site because KP has not replied to an email inquiry sent to it on Friday evening.  A source with knowledge of the situation, however, informed DataBreaches.net that prior to the attack, the site had not been subjected to KP’s usual and required security and had not been patched or updated in quite a long time.

And because KP did not reply to this site’s inquiry,  we also do not know if there was any personal information or protected health information that had been on that site and accessible to the hackers.

As to the attackers, there is no history of any “Dohaeragon” on defacement mirror sites like Zone-H.  Their only appearance is on aTurkish site, golgeler.net.  A Google search of the members’ names reveals that at least two of them appear to be Turkish gamers.  A page on plays.tv about “Claronomes” indicated that that individual followed “Morghon,” whose personal information was given as

Real Name: Berkay Gender: Male Age: 17 Country/City: Turkey/Kusadasi Favorite Games: Rainbow Six Siege, The Forest, Blackwake, ARK, PUBG

But the bottom line is that this defacement should be somewhat embarrassing for Kaiser Permanente  who should be at the cutting edge of protecting personal information of patients or insurance plan members.  Indeed, the Security statement for their web site states:

The Websites and the App have security measures in place that are intended to help protect against the loss, misuse, unauthorized access or alteration of information under our control both during transmission and once the information is received. These measures include encryption of data using the Secure Socket Layer (SSL) system, and using a secured messaging service when we send your personal information electronically to the Websites or the App. Despite these measures, the confidentiality of any communication or material transmitted to or from us via the Websites or the App by Internet, text message or email cannot be guaranteed.

While that may sound good, it seems that their site was too-easy pickings for a group of teenage gamers with no history of any serious hacking. Hopefully, KP is conducting an internal review to figure out how this could happen.

In the meantime, attempts to reconnect to healthinnovation.kp.org on Sunday resulted in the site redirecting to healthy.kaiserpermanente.org. It remains that way as of the time of this posting.

If KP does respond, this post may be updated.

Update of July 31: DataBreaches.net received a response from KP today. Their statement is as follows:

The site healthinnovation.kp.org is a site accessed by employees, physicians, and potential employees that provides information on an internal program. The site did not include any protected health information. As the site was developed and hosted outside the Kaiser Permanente network, the breach did not give attackers any access to protected health information of Kaiser Permanente members or patients, nor did it provide access to kp.org or any other Kaiser Permanente system.

We have investigated and are confident that there is no risk to member or patient data confidentiality. While still under investigation, we will be working with this vendor to ensure appropriate levels of security going forward.

Update 2 of July 31:  DataBreaches.net received a polite request from KP asking this site to edit the headline from “”Hear Me Roar:” Kaiser Permanente site defaced by GOT fans.” KP’s rationale for their request was that as written, readers “might assume that THE Kaiser Permanente site (www.kp.org) was hacked which of course was not the case. This was essentially an externally-hosted information page.”

Technically, they’re right. However, the public generally does not know when big entities have other companies externally hosting subdomains (this issue has come up before on this site). Typically, the public will see “kp.org” and will rely on the brand and the reputation of Kaiser Permanente to assure them that the site has good security.  A member of the public is generally not going to expect that a subdomain is being externally hosted and is not under the same security as the main site/domain. 

So after some thought, I’m going to tweak the headline, but leave KP’s name in it, as a reminder to all entities that if you allow other companies to externally host a subdomain, you need to make sure that the external host is providing adequate security – because ultimately, it’s YOUR brand and reputation that will take any hit. 

Category: Breach IncidentsHack

Post navigation

← AmberCare Hospice notifies patients of “missing” laptop
Wikileaks’ Twitter Chats Exposed as 11,000 Private Messages Posted Online →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon
  • US govt login portal could be one cyberattack away from collapse, say auditors
  • Two Men Sentenced to Prison for Aggravated Identity Theft and Computer Hacking Crimes
  • 100,000 UK taxpayer accounts hit in £47m phishing attack on HMRC
  • CISA Alert: Updated Guidance on Play Ransomware
  • Almost one year later, U.S. Dermatology Partners is still not being very transparent about their 2024 breach

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant
  • US State Dept. says silence or anonymity on social media is suspicious

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.