Back in June, this site noted that the majority of victims of TheDarkOverlord had not reported the claimed breaches to HHS and that this site had filed a Freedom of Information request with HHS seeking any records on those breaches.
That FOIA request included an incident involving the medical practice of Drs. Feinstein & Roe in California. On June 8, TheDarkOverlord had dumped 6,642 patient records on Pastebin that they claimed came from their practice. The records included full name, address and telephone number, date of birth, Social Security numbers, and medical information, as well as other personal details. The hacker(s) did not indicate when the hack had occurred or when they first notified the doctors about the attack, so we do not know the actual date of attack or date of discovery.
On August 8, HHS responded to the FOIA inquiry of June 23, stating that there were no records filed by June 23 for any of the five incidents specifically queried.
Today, HHS updated its public breach tool to include the Feinstein & Roe incident. According to HHS’s records, the incident was reported to them on August 21 as affecting 6,642 patients.
Other hacks claimed by TheDarkOverlord remain unreported to HHS and to the state of California, but of course, not all entities are covered by HIPAA and not all of TheDarkOverlord’s victim entities involved California patients. Will other entities eventually report to HHS or disclose publicly? We’ll just have to keep watching for that.
And if you’re wondering why you haven’t heard anything recently about TheDarkOverlord, well, that’s an interesting question. A very interesting question, perhaps.