On July 12, the hacker known as “The Dark Overlord” (TDO) offered the source code, software signing keys, and customer license database for a firm that develops and markets software that among other things, implements the HL7 standards. The entity was not named in the listing on TheRealDeal Market. As I reported on July 12, I was already aware of the hack and had previously notified the entity of it, but I did not reveal their name at that time, so as to give them a chance to start investigating and to get their incident response started. Yesterday, Jeremy Kirk also reported on the breach.
As with TDO’s other attacks, this one came with a ransom demand, which was basically to pay 800 BTC or have the source code and signing keys sold. But there was another aspect to this breach: the hacker’s claimed ability to access all of the firm’s clients’ EHR records. On a proprietary level, the hack and potential leak of the source code is serious, of course, as is the claim that the hacker had control of the signing key and could push out an update to all clients. As a patient privacy advocate, the access to EHR records and potential for corrupting them or stealing them is worrying.
Because the entity has decided not to issue any statement at this time, and because their clients’ EHR records were apparently accessed as part of the attack, DataBreaches.net is going to reveal what we know so far about this incident.
On July 6, during an encrypted on-the-record chat, TDO provided me with a log from the attack, including the firm’s root directory and a copy of their .sql licensing database. I contacted the firm last week to alert them. In my conversation with them about what had happened, Ben Hoey informed me that there was no PII or PHI at risk.
In a follow-up chat with TDO, I asked him about their claim of no PHI involved.
“Of course not,” TDO told me. “Except when I used their code to find exploits in all their clients…. Also, since I was in their system, I signed a backdoor into their client – because I had access to their certificate signing. It got pushed out in an update a few weeks ago.”
TDO provided this site with a sample of EHR records from one or more clients.
“So yes, no PII/PHI my ass,” he commented.
The firm, when contacted with that information, did not reply to DataBreaches.net. And when I spoke with them earlier today, they declined to issue any statement, stating only that the matter had been turned over to their security team.
By now, I’ve seen enough to be convinced that TDO has everything he claims to have on them, and this can be a very costly breach for the firm.
Is TDO using this site and this journo to put pressure on the company? As Joseph Cox discussed on Motherboard, TDO is good at using the media to build his credibility or to exert pressure on targets. I’m probably an easy play for him, too, as my concern for ensuring patients are informed of breaches makes me more likely to report and disclose details. But as Cox and I agreed, even when you know you’re being used or played, you can or should still report on breaches.
So for now, I guess, unless I obtain any additional details from TDO or the firm, the only thing left to report is to identify the firm. It’s PilotFish Technology in Connecticut, and if you’re a client with EHR records, you may want to activate your incident response team. While I did not see proof that TDO got all EHR records from all clients, TDO claimed that they’ve got them all, and I tend to believe that.
For my other coverage and discussion of TDO’s hacks, see these posts.
Correction: this post was edited post-publication because as a commenter correctly pointed out, I should not have described the firm as an “HL7 entity.” Thanks for the commenter for pointing out the less than accurate description I had provided.
I wonder what his motives are in regards to this hack and others..If it’s all about breaking into server for whatever glory, well that is obviously screwed up
He’s very clear that his motive is money.
At some point, he will get caught. I don’t think he is smart enough to stay hidden and in the dark
And your opinion is based on… what? Having chatted with him at length, I think if he gets caught, it will be due to an opsec slip up somewhere, but he’s incredibly intelligent. I just wish he was on my side of the equation.
He keeps tweeting and goading based on his tweets (who I follow) . I have noticed most of these hackers are very intelligent but seem to slip with something that should be a no brainer.
I have a slight hunch that certain govt agencies may be tracking too. I don’t want to give out my perspective on this through public domain though. This came through a recent conversation I had with someone
“May be tracking?” LOL. Of *course* they’re trying to track him down. He’s a major threat.
I know…will inbox more…not saying anything else
Who I know works for a govt entity..
I had a problem sending that last comment and this completed the last sentence.
Holy shit.
Dissent: “On July 12, the hacker known as “The Dark Overlord” (TDO) offered the source code, software signing keys, and customer license database for a Health Level Seven (HL7) entity.” – that sentence is badly misleading – PilotFish is a company that provides software that implements – among many other things – the HL7 specification. That does not make them an “HL7 entity” whatever you think might mean. HL7 is a standards organization that defines interoperability formats. It doesn’t have entities that are companies. But it does protect it’s name… Please correct your description
Thanks for your thoughtful comment. I have edited the text to make it more accurate, I hope.
Oddly I am familiar with that software and they technically don’t host or create EHR records. I wonder if there would be some real followup before reporting on these. This article has created a nightmare for me since I support a company that uses this software.
The hacker claims he got into the clients’ records through the company. The hacker also claimed to have all their source code. So I take your point, but I don’t think I claimed they hosted or created records. Also, because of the signing key issue, the hacker could have pushed out an update to all licensed users that would leave a backdoor into the clients’ network via the software and the hacker had told me that he did have such a backdoor.
So is this a bit of a nightmare? I think it may be, and I hope Pilotfish shares the results of any forensics examination, at which point, I’ll be happy to follow up. My main concern was to alert clients whose records may have been compromised by events.
Thanks for the correction – it’s all good now. I too hope that we find out the forensics, but it sounds unlikely to me.