Irony: When blackhats are our only source of disclosure for some healthcare hacks (Update1)

“We’ll not be caught, ever.”
— TheDarkOverlord, June 21, 2017

At this rate, the criminals known as TheDarkOverlord may be right. But if they escape accountability for their criminal acts, what about those who were responsible for securing our protected health information? Have they also escaped accountability and will they continue to escape accountability?

Since June 2016, DataBreaches.net has reported on hacks of healthcare entities by TheDarkOverlord (“TDO”).  At times, fellow journalists and I have expressed concerns about TDO gaming the media, i.e., using our reporting to put pressure on their victims to pay extortion demands. And there was also the issue that in the early days, TDO was flat-out lying to journalists about some things, lies that some of us may have unknowingly repeated.

Over time, some journalists pretty much stopped reporting on TDO. This site didn’t stop, because patients need to be alerted that their data have been hacked, and the healthcare sector needs to be reminded that these threats exist and are ongoing – and that they need to take proactive measures to defend against such attacks. To the extent such coverage may inadvertently help TDO boost their brand as attackers, well, that’s unfortunate, but I still think the public needs to be informed about what’s going on in the healthcare sector when it comes to protecting our information.

And while many fellow journalists do not report on the ongoing healthcare sector breaches, DataBreaches.net notes that for the most part, the media has not been asking enough questions, or the right questions.

First, let’s review what we know about claimed TDO hacks in the healthcare sector. I’m linking to previous coverage of them, where there’s been coverage:

1. Athens Orthopedic Clinic
2. Peachtree Orthopedics
3. OC Gastrocare   
4. An unnamed clinic in New York   and an  unnamed clinic in Oklahoma ??
5. Aesthetic Dentistry    (New York)
6. Prosthetic & Orthotic Care
7. Midwest Orthopedic Pain & Spine
8. Little Red Door Cancer Services of East Indiana
9. Tampa Bay Surgery Center
10. La Quinta Center for Cosmetic Dentistry
11. Feinstein & Roe
12. Dougherty Laser Vision
13. Coliseum Pediatric Dentistry (aka Hampton Road Dentistry) 

A few notes on the above:

1. The data from the unnamed clinic in New York were never proven to have come from a clinic, as the data were PII. The unnamed clinic in Oklahoma was also questionable as it appeared to be old data and there wasn’t much of a sample provided for verification purposes. It is not clear, therefore, whether these should be counted as incidents.
2. Of four incidents recently revealed by TDO on Twitter (before their @tdohack3r account was suspended), there were data dumps for two of them. There were no data dumps for Dougherty Laser Vision or for Coliseum Pediatric Dentistry, although TDO provided this site with sample patient records for each claim for verification purposes.
3. Of special note: there is no evidence that the most recently disclosed hacks were actually recent hacks. Some of these hacks appear to have occurred last year, although it’s not clear when the entities may have first discovered they had been hacked.

Keeping the above in mind, and that most of the hacks ultimately resulted in data dumps or data put up for sale on the dark web, why hasn’t the media been asking:

• How many of the twelve confirmed breaches were reported to HHS?
• How many of the twelve confirmed breaches were reported to state regulators?
• How many of the twelve confirmed breaches resulted in notifications to the affected patients?

Let’s take those questions one at a time. First, only four of the 12 confirmed breaches appear to have been reported to HHS:

• Athens Orthopedic Clinic
• Peachtree Orthopedics
• Prosthetic & Orthotic Care
• Midwest Orthopedic Pain & Spine

Now that may be because not all entities are HIPAA-covered entities.  And you may be thinking that some of the newer breaches are still within the 60-day window, but TDO informs this site that their victims (whom they prefer to call “clients”) have known for months about the breaches.

So why haven’t 8 of the 12 breaches been reported to HHS?  DataBreaches.net has filed under Freedom of Information to ask whether HHS received reports on these incidents but has received no response from HHS as yet.

In answer to the second question:  none of these breaches seem to show up on publicly available state regulator web sites that list breach reports. Because some of these entities are in California, and because California requires breach notification for medical, you might think that we’d see some of these on California’s breach list, but no. So DataBreaches.net has filed public records access requests with both the California Attorney General’s Office and with the California Department of Public Health for any breach reports for these incidents. We have received no response as yet (SEE UPDATE, BELOW).

As to the third question about notification to patients, DataBreaches.net could only find confirmation of patient notification for  the incidents reported to HHS and for the Little Red Door Cancer Services of East Indiana. Other entities did not respond to this site’s inquiries as to whether they had notified their patients, and this site could find no substitute notices or public notices, although it’s possible the notices were in local media not indexed by Google.

Of note, however, DataBreaches.net did contact patients of some of these entities, who claimed that they either did not receive, or did not recall receiving, any notification from at least two of the entities: Aesthetic Dentistry in New York City and Coliseum Pediatric Dentistry in Virginia. Neither entity had responded to inquiries from this site as to whether they had notified patients.

So here’s my request to the public:

If you were affected by one of the TDO incidents listed below, did you receive a notification letter from the doctor’s office or group about it?  You can use the comments section to answer, but if you have a notification letter you can send me, let me know.

• OC Gastrocare   
• Aesthetic Dentistry    (New York)
• Tampa Bay Surgery Center
• La Quinta Center for Cosmetic Dentistry
• Feinstein & Roe
• Dougherty Laser Vision
• Coliseum Pediatric Dentistry (aka Hampton Road Dentistry) 

And depending on the answers we get to the questions in this post, perhaps we should add one more question:

What, if anything, will HHS and state regulators do if they learn that entities have not reported breaches to them and/or to patients?  Will this get swept under a rug because the HHS breach tool is viewed by some as “too punitive?” Or will someone actually investigate to see whether patient information had been reasonably protected and patients notified of any breach? 

Update 1 July 6:  On June 23, DataBreaches.net filed public records requests with the California Attorney General’s Office and California Department of Public Health (CDPH), requesting any records filed by the following entities under California Civil Code Sections 1798.29 or 1798.82, or California Health and Safety Code Section 1280.15:

• Feinstein & Roe
• La Quinta Center for Cosmetic Dentistry
• Dougherty Laser Vision
• OC Gastrocare

On June 30, the California DOJ declined the request, responding, “We have not located any records responsive to your request.”

So none of those four clinics reported any alleged breaches to the DOJ and as of today, only one of seven entities (Tampa Bay Surgery) has reported anything to HHS.

DataBreaches.net subsequently obtained confirmation from reliable sources with firsthand knowledge who confirmed that OC Gastrocare had not reported any incident to HHS, to the state, or to any patients.  It is this site’s understanding that they are actively investigating the claimed hack.

Other entities contacted by DataBreaches.net did not respond to inquiries.