Austin Manual Therapy Association recently notified HHS of a hacking incident that reportedly affected 1,750 of their patients.
That incident was first reported on DataBreaches.net on October 18, after TheDarkOverlord (TDO) had publicly claimed in tweets to have hacked them. TDO’s tweets had also suggested that they had made an extortion demand on the therapy clinic.
AMTA’s notification appears below. It makes no mention of any extortion demand. There is no actual requirement that an entity tell patients that there had been an extortion demand, but to the extent that that such information might be important to patients in determining their risk of harm, this site believes it should be disclosed.
Of course, it is possible that AMTA never saw the extortion demand if it was via email that may have gone to their spam folder. DataBreaches.net did not find out how TDO delivered the demand, nor how many times it attempted to contact the clinic.
Note that AMTA never got in touch with DataBreaches.net to inquire what data we might possess that might help them understand the scope of the breach, even though this site attempted to contact them on two occasions in October.
Somewhat surprisingly, AMTA claims that TDO only accessed a limited amount of data. That conflicts with TDO’s repeated claims to this site that when they attack entities (like AMTA), they get everything. TDO did not provide this site with a copy of the full patient database from this hack, so DataBreaches.net has no data to confirm or disconfirm AMTA’s claims.
But maybe the next time HHS or FTC updates their helpful guidelines to entities about responding to breaches, they should mention that rather than just ignoring media requests, breached entities might want to respond to media and ask whether media outlets have any files that might help them investigate the scope of the breach. And while they’re at it, why not ask whether the news or media outlets would be willing to destroy any files with PHI or at least encrypt them? Just a thought.
The following is part of AMTA’s notification about the incident.
Notice of Data Breach / Data Security Incident
December 8, 2017
Dear valued patients:
We recently learned that criminals hacked into our computer systems. We do not have complete contact information for all of the individuals that may have been impacted by this attack. If you are concerned that you may have been impacted by this attack, please contact us at 1-800-215-2054 or [email protected].
More information on the cybersecurity incident is provided below.
What Happened: On October 9, 2017, we learned that a criminal attacker accessed our system without authorization. We took immediate action to stop the intrusion and to investigate the incident. We brought in a leading, national cybersecurity team to conduct a comprehensive analysis to determine the scope of the intrusion and to ensure the incident has been contained. We have learned that the attacker accessed limited portions of our system during the time frame of October 3, 2017 to October 9, 2017. We have found no evidence of unauthorized activity on our core electronic health records system.
What Information Was Involved: Despite conducting a comprehensive forensic analysis, we have very little evidence as to what documents or information the attacker was able to access or steal. We know that the attacker was able to access one of our computers and a shared file system. Based on the information stored on that computer and shared file system, the attacker may have been able to obtain some patient names and, in some circumstances one or more of the following types of information: addresses, phone numbers, occupations, dates of birth, insurance policy information, insurance coverage and eligibility information, charge amounts, dates of service, driver’s license information, diagnosis, health screening information, referring physician information, and full or partial social security numbers. It appears at this time that most of the potentially affected individuals reside in Texas, although we have learned a few individuals may be in other states.
What We Are Doing: As set forth above, upon learning about this incident, we immediately took steps to stop the intrusion and to prevent further unauthorized access to our system. While our investigation is substantially complete, it remains ongoing and will likely continue through the end of the year. We also have implemented and are continuing to implement additional security measures designed to prevent a recurrence of this type of attack, to quickly identify unusual activity, and to further protect the privacy of your information. We are actively working with forensic investigators, law enforcement and the U.S. Department of Health and Human Services.
What You Can Do: We strongly encourage you to take action, along with our efforts, to minimize or eliminate any potential harm from this incident. ….
The full notice can be found at https://www.austinmanualtherapy.com/docs/Data_Breach_Notice.pdf.
As an impacted patient, would like to know what information does DataBreaches have that was not disclosed by AMTA? Any idea who the “leading, national cybersecurity team” who they procured was? Seems that their consultant should be the one to suggest reaching out (or not), so lay the blame at their feet.
I am not laying blame. I am suggesting that awareness about IR include thinking that news/media outlets may have data with PHI that is provided by hackers trying to get coverage of their hacks, and that CEs should think to ask about it. The same also applies to breaches in other sectors.
I will not go beyond what I already described/published in my previous post about the AMTA breach. If the CE wants to contact me, I will talk with them and can let them know what files I was given.
Perhaps you should lay some blame. AMTA has no idea about data breaches or how to respond to them. Their infosec consultant does. Either the consultant negligently didn’t follow all the leads at their disposal or they deliberately took a position of non-communication with you. Both of those are unproductive. I guess on the bright side, they didn’t blame and prosecute you. 🙂