MA: SMART Physical Therapy hacked by TheDarkOverlord

SMART (“Sports Medicine and Rehabilitation Therapy”) Physical Therapy has two locations in Massachusetts:  one in Malden and one in Reading. But it doesn’t matter which one patients may have been treated at, as data from all of their patients was recently hacked by TheDarkOverlord. And not surprisingly, the attackers tried to extort the clinic.

Having spoken with personnel at SMART, DataBreaches.net was planning to delay reporting on this breach for a bit, to give them time to investigate and begin their incident response, but last night, TheDarkOverlord publicly announced the hack in their Twitter timeline.

Based on information provided to this site by TheDarkOverlord and by the owner of SMART PT, it appears that the hackers were able to access the patient data stored in Patterson PTOS software because of weak passwords.  Patterson (now known as Performance Health) had totally discontinued the PTOS software product line in March, 2017, so it was an unsupported product at the time of the hack on September 13.

As in other hacks attributed to TheDarkOverlord, the hackers demanded that SMART pay some ransom or extortion in BTC. Neither they nor the clinic told DataBreaches.net the amount of the demand, but it didn’t matter because the owner of SMART PT was having none of any of it. In a conversation with DataBreaches.net on September 15, Joanne Ponte indicated that she was not going to even consider any extortion demand. Nor, she said, would she communicate with the hackers at all, as they were criminals.

Over the next few days, TheDarkOverlord provided this site with some additional details, but also the patient database. It contained 16,428 patient records, all with unencrypted text.  The headers/fields were as follows:

PatientId,”LastName”,”FirstName”,”Address1″,”Address2″,”City”,”State”,”Zip”,”Sex”,
“ResPhone”,”OffPhone”,”CellPhone”,”Email”,”Dob”,”PayType”,”Ssn”,”Status”,
“Comments”,”EntryUser”,”EntryDate”,”EditUser”,”EditDate”,”Password”,”BGroup”,
“FacilityID”,”UDF”,”Occupation”,”Emgname”,”EmgPhone”,”Emgrelation”,”Title”,
“MaritalStatus”,”initial”,”nickname”,”HIPAA_AuthDate”,”Privacy_NotificationDate”,
“OKToContact_ResPhone”,”OKToContact_OffPhone”,”OKToContact_CellPhone”,
“SchedulingPreferences”,”ClusteredIndexId”

DataBreaches.net sent a follow-up contact request to the clinic to ask them if they wished to offer any statement at this point, but has not heard back from them. This post will be updated if they do send a statement.

TheDarkOverlord did not reveal what they intended to do with the patient data they acquired, but hasn’t the market been totally flooded already by now? Do individual records with PII and PHI still have any significant value or is it down to a few cents per record?

As one note on this breach:  DataBreaches.net called SMART PT on September 15. The call was initially at the request of TheDarkOverlord who may have hoped that if the clinic got a call, they would be more likely to pay attention to the emailed extortion demand. Or maybe TheDarkOverlord hoped that if a journalist called the clinic, the clinic might feel more pressure to deal with the hackers. I’m not sure of their motives and rationale, but the reason I agreed to actually call the clinic was because it appeared to me that the clinic probably didn’t know that they had been hacked, and by calling them, I would/could notify them that they needed to look into the matter and secure their patient data, etc.

When I reached the clinic, it was clear to me that they had no idea that they had been hacked – despite any emails TheDarkOverlord may have sent them.

So yes, the ethical considerations continue to worry me or give me pause, but at the end of the day, I think notifying entities so that they can protect patient data or begin incident response trumps my concern that some victims may misinterpret my motive or erroneously think that I’m somehow trying to encourage them to deal with extortionists or pay any ransom demands.