At the end of June, DeepDotWeb broke the story that hackers calling themselves TheDarkOverlord (TDO) had put three databases with patient information up for sale on the dark net. Although the owners of the databases were not listed, DataBreaches.net was able to identify two of the three entities as the Athens Orthopedic Clinic (AOC) in Atlanta and Midwest Orthopedic Pain and Spine (MOPS) in Farmington, Missouri. Both entities reportedly received ransom demands from TDO to pay up if they wanted their patient data destroyed and not sold, but as of August 6, no ransom had been paid, according to TDO. Whether any has been paid since then is unknown, but doubtful.
The third database, from an entity originally described as being in the midwest but later identified more specifically as being in Oklahoma City, was never identified by DataBreaches.net nor named by TDO. TDO later claimed that they wouldn’t be naming them because the entity had paid the ransom and their for-sale listing was removed from TheRealDeal Market. But paying any ransom does not negate any obligations under HIPAA and HITECH to notify patients and HHS of a breach, and DataBreaches.net notes that there is currently no entry on HHS’s public breach tool that would correspond to any incident in Oklahoma affecting approximately 210,000 patients. Either the Oklahoma City entity did not report the incident to HHS, they reported but HHS has yet to post the report, or TDO fabricated claims about an OKC database paying ransom to boost its reputation. Given that TDO lied to some news outlets (including this one) in other claims, any of the three explanations seem possible at this point.
The day after they created headlines over those three databases for sale, TDO also listed for sale what they described as an insurer’s database with 9.3 million records. After attempting to contact people whose data were included in an expanded sample of data provided to this site by TDO, DataBreaches.net suspected that the database was linked to United Healthcare, but UHC denied it was their data. As I noted in my report, their denial statement did not really rule out that it was one of their vendors. In a recent encrypted chat with a TDO spokesperson, the spokesperson claimed that the data had come from a vendor who was a lead generator for UHC but that UHC was “responsible.” TDO did not clarify what they meant by that and did not name that vendor.
To the best of DataBreaches.net’s information, no ransom was paid in that situation, either.
In July, TDO started leaking some of the AOC and MOPS patients’ information on Pastebin, while yet three more entities had their patient databases listed for sale on TheRealDeal. DataBreaches.net was able to identify two of three, and as I had done with AOC, notified those two promptly to alert them that their patient data appeared to have been compromised: Prosthetic & Orthotic Care, Inc. (P&O Care), who would also have patient data and images leaked on Pastebin and Twitter, an entity in New York that DataBreaches.net was unable to identify, and PilotFish Technology (PFT). The source code for the latter was subsequently listed for sale on AlphaBay (see InfoArmor’s detailed analysis of the code and the risks it poses).
In an encrypted chat, TDO confirmed to DataBreaches.net that they had attempted to extort PFT. As far as DataBreaches.net knows, neither P&O nor the unnamed NY entity paid any ransom. So far, then, the only publicly mentioned entity/victim that may have paid any ransom is an unnamed OKC entity.
TDO’s business model of attempting to extort entities in the healthcare sector via putting their databases up for sale, naming them if they resisted paying ransom, and then leaking patient data and alerting the media to such developments to increase the pressure on the victims, does not appear to have had any clear commercial success. Given that they were demanding fairly high ransoms, one can only wonder if their model might have worked if they had demanded smaller ransom amounts, although RexMundi also encountered refusal to pay ransom in their European-based attacks.
But even if the extortion business model appeared to be something of a commercial flop as publicly executed, the fact remains that a number of entities in the healthcare sector had their patient or client information hacked and acquired – and put up for sale. And in addition to the databases that have been, and remain, listed for sale, other victim entities were alluded to by TDO publicly and in encrypted chats with DataBreaches.net.
Other Entities Investigating
Although a TDO spokesperson told DataBreaches.net and other news outlets that they had a 0day that they used to gain access to some of their targets, some victims’ disclosures have made reference to compromise of an unnamed vendor’s credentials as being responsible for their breach. Last week, DataBreaches.net became aware that at least two previously unnamed entities are investigating whether that vendor’s breach resulted in compromise of their patient information.
One of those entities is Peachtree Orthopedic Clinic (POC) in Atlanta. In a telephone conversation last Wednesday, an IT employee confirmed to DataBreaches.net that they have been investigating for weeks, trying to assess what may have happened and that the FBI has been assisting them. The employee also confirmed that they were a client of the vendor that DataBreaches.net has been able to identify and names later in this report.
Several pieces of information had led me to suspect that POC might have become a victim of TDO, but I’ll only mention two of them here for now. One piece was that POC’s web site has a section on Team Affiliations that lists the Atlanta Braves and other teams. As I had reported on June 29, TDO had informed me in a private chat that they intended to release a database that day that I had described in my report as relating to a “major Atlanta sports team.” That team had actually been named by TDO to me as the Atlanta Braves. But TDO had also informed me that it was not the Atlanta Braves organization that had been hacked but another entity – a clinic – that was involved with the Atlanta Braves and other sports teams, a description that matches POC’s web site.
Second, POC is an orthopedic clinic, and TDO had hit other orthopedic clinics, including Athens Orthopedic Clinic, which, like Peachtree, is also in the Atlanta area.
Several hours after my phone conversation with the POC employee and my follow-up email to POC requesting a statement for publication, I received a phone call from their external counsel, Richard Sheinis of Hall, Booth, Smith, P.C. Mr Sheinis said he was calling to inform me that information in my email to them was inaccurate and that I had been given “bad information.” He would not specify exactly what in my email to them was inaccurate. Nor would he confirm nor deny whether POC had been hacked. Basically, then, I am not sure what they think I may be wrong about, but if they would like to provide a statement or correction, I will be happy to post it. For the time being, though, note that there is no confirmation or denial from POC that POC patient data has been compromised.
Another entity that is currently investigating whether their patient data may have been compromised is SSM Health in Missouri. A spokesperson for SSM neither confirmed nor denied that they had been hacked, and provided the following statement to DataBreaches.net:
We are currently working with members of law enforcement to evaluate the extent to which one of our business partners has been compromised by a cyber-attack. As this is an active investigation, we can offer no additional details at this time. We remain vigilant in continuously monitoring our systems and take very seriously our role in safeguarding patient information.
DataBreaches.net has seen no real evidence that SSM patient data were hacked or acquired, and no TDO spokesperson ever mentioned “SSM” during any encrypted chats.
A third previously unknown and potential victim of TDO remains somewhat controversial due to a common name. One member of TDO told DataBreaches.net that “Mercy Healthcare” was one of their victims, and described Mercy as a large midwest system. But Mercy in Missouri (where other victims are located) firmly denied that they were hacked. MercyCare in Atlanta also firmly denied to DataBreaches.net that they had been hacked. But based on unconfirmed information received by this site, there may be at least two groups of hackers claiming that an entity named “Mercy” was hacked and/or had their patient data downloaded as a result of the vendor’s file. DataBreaches.net does not know whether either of the two “Mercy” entities mentioned above were clients of the vendor in question.
Illinois Vendor Named
Quest Health Information Management Solutions/Quest Records LLC are based in Swansea, Illinois. They describe their services as “a spectrum of release of information and document management services in order to help our clients focus on providing the highest quality of care to their patients.” While no TDO victim has actually named the vendor they blame for their breach, a recent statement by AOC quoted in an OnlineAthens report described the vendor as a “nationally-known healthcare information management contractor.”
Third-party vendors can provide a wealth of login credentials to clients’ data. In this case, DataBreaches.net was informed by a source that an inadequately secured Quest Records LLC file on Dropbox put all of that vendor’s clients at risk because it allegedly contained their login credentials in plain text. And although DataBreaches.net has not been able to get confirmation of this, TDO reportedly did not hack the vendor, but rather, came into possession of the file acquired by other hackers. They then purportedly used it to attack and extort the vendor’s clients.
In response to an inquiry from DataBreaches.net, Quest Records claims that they first learned that they had been compromised in April. In a statement provided to DataBreaches.net last week, they wrote:
CHICAGO, IL (August 9, 2016) – On April 21, 2016, Quest Records discovered a data security incident involving its computer systems. Quest Records immediately began an investigation, and retained a third party computer forensic firm to assist. Quest Records previously notified its clients of the incident, and is cooperating with the FBI as they investigate as well. Quest Records takes the security and confidentiality of information in its systems very seriously, and has taken significant steps to further enhance the security of its systems.
Quest’s CEO Chad Gray declined to provide further information as to when clients were notified and exactly what they had been told or advised. Gray’s biography on LinkedIn shows that he was employed by SSM Health as Director, Medical Management, from 2004 – 2008.
DataBreaches.net has been trying to obtain copies of Quest Record’s notification letters, and will update this post if the information is obtained. But this site’s current understanding is that the credentials in the Quest Records file that had been acquired on or before April 21 still worked when TDO attempted to use them in May to steal data from Midwest Orthopedic Pain & Spine. And the credentials in that Quest Records file allegedly still worked on June 14 when TDO attacked Athens Orthopedic Clinic.
So when were AOC and MOPS notified by Quest Records and what were they told? Did they have adequate notice to change their passwords and protect themselves from TDO? Did other clients?
How Many Other Victims?
And how many other clients of Quest Records LLC may have had their patient information hacked or may still be at risk? DataBreaches.net does not know, but would not be surprised if there were a number of clients currently investigating to determine if their patient data was accessed or acquired. In an encrypted chat, TDO had indicated that there were “tons of clients,” and that they had all been attacked. That may have been hyperbole, but it is still cause for concern.
If you have specific information, or a copy of Quest Records’ notification to clients, please contact me on Jabber at [email protected] or see the home page of DataBreaches.net for my public encryption key for email.
That 60 day window is not always your friend. Great article!