While thousands of their followers on Twitter seem to be eagerly waiting for TheDarkOverlord (TDO) to dump more tv films or episodes of popular series, TDO went non-fiction this morning, dumping patient/medical records from some of their hacks in the healthcare sector last year. All told, almost 180,000 patients had their personal information shared with the world.
Two of the incidents were previously known to this site, and had already been included in monthly analyses provided by this site to Protenus for their Breach Barometer reports. But for the benefit of those readers or journalists who seem to be first discovering TDO, here’s a list of some medical entities that TDO attacked last year (links are to mentions of the incidents on this site):
- Athens Orthopedic Clinic
- Peachtree Orthopedics
- OC Gastrocare
- An unnamed clinic in New York
- Aesthetic Dentistry
- Prosthetic & Orthotic Care
- Midwest Orthopedic Pain & Spine
- Little Red Door Cancer Services of East Indiana
- An unnamed clinic in Oklahoma
DataBreaches.net strongly suspects that there are other medical clinics that were also attacked but never disclosed publicly.
In addition to medical clinics/providers and insurers, TDO’s victims have also included software and third-party vendors like PilotFish Technology, Quest Records Management, and the still-unnamed third-party vendor of a health insurer where 9.3 million records were listed for sale on TheRealDeal. And then there were that attacks in other sectors, like the attacks on WestPark Capital, Gorilla Glue , Pre-Con Products, G.S. Polymers, DRI Title, and other entities.
For those who are new to TDO’s playbook, be aware that if they dump databases, it’s usually because the entities would not pay their extortion demands and there is no market for the data or no longer any market for the data. Dumping the database is often part of their strategy to send a warning to future victims that they should pay up or suffer the same fate of having their customer/patient/proprietary information dumped or sold.
Using the media to promote their reputation as dangerous hackers who follow through on their threats is also part of their playbook, which may explain why they have dropped three databases today. Whatever their reasons, here’s what we know so far about today’s three newly dumped databases:
Aesthetic Dentistry
Aesthetic Dentistry in New York City was hacked by TDO last year. It was clear from what TDO tweeted last year that Aesthetic Dentistry was not about to pay TDO any extortion. Showing a healthy dose of New York attitude, the intended victim had allegedly responded to TDO’s attempts to extort them with this reply:
Attempting to increase pressure on them, TheDarkOverlord issued a press release on Pastebin and dumped some of their patients’ data. The October 14th statement is still publicly available, although the paste with the selection of patient data was removed by Pastebin.
Despite the public pressure of revealing named patients’ medical diagnoses and other details, it would appear that Aesthetic Dentistry still did not pay the undisclosed amount TDO sought.
Today – seven months after their initial disclosure – TDO tweeted:
Don’t mind us as we dust off 3.5k dentistry patient records: https://t.co/o5dewUPA8y
— thedarkoverlord (@tdohack3r) May 4, 2017
“Don’t mind us as we dust off 3.5k dentistry patient records:”
The database, in .csv format, contains 3,496 patient records, where the field headings include a wealth of personal information, some health insurance information, information on the referrer, and some payment information. All of the identity information is in plain text. What may be of especial concern to patients, apart from the risk of fraud, is the disclosure of their health information. Diagnoses included in the database included cardiac diagnoses such as heart murmur, hypertension, kidney diseases, psychiatric conditions such as depression, and various allergies and sensitivities, etc.
Aesthetic Dentistry never responded to inquiries sent to them in January and February by this site. And because the incident never appeared on HHS’s public breach tool, DataBreaches.net filed a Freedom of Information request in February with HHS as to whether this incident had ever been reported to HHS. DataBreaches.net has still not received a response to that simple FOI request.
OC Gastrocare
OC Gastrocare in California is another entity that TDO hacked last year and that they had also attempted to extort. As with Aesthetic Dentistry, TDO did not publicly reveal how large the extortion demand was, and used a statement on Pastebin to try to increase pressure on them to pay.
Today, after first tweeting a link to the Aesthetic Dentistry data dump, TDO tweeted:
Let’s add a zero to the last figure. Another clinic (OC Gastro) who has also mistreated us and their patients: https://t.co/3OojH3PrVs
— thedarkoverlord (@tdohack3r) May 4, 2017
“Let’s add a zero to the last figure. Another clinic (OC Gastro) who has also mistreated us and their patients:”
Note that TDO’s concept of “mistreated us” often translates into: (1) the entity refused to pay their extortion demands, and/or (2) the entity ignored their demands altogether, which TDO has indignantly suggested is “unprofessional” on the victims’ parts. To this day, TDO’s public statements often reveal that they try to present themselves as “professionals” (e.g., signing their demands as “professional adversary” or providing legal-sounding “contracts” with extortion terms). TDO has occasionally commented to this site that they believe clinics are not doing right by their patients by refusing to pay “modest” extortion demands that could protect the patients’ privacy. In other cases, they had informed this site in encrypted chats that they had found what they believed was evidence of entities covering up other wrongdoing.
So how did OC Gastrocare allegedly “mistreat” their patients? By not paying an extortion demand? It’s uncertain, as TDO has yet to explain it.
The OC Gastrocare data contains approximately 34,100 patient records. As with Aesthetic Dentistry’s records, information such as date of birth and Social Security number are in plain text.
Tampa Bay Surgery Center
The third database TDO dropped today actually came as a surprise to this site, as I don’t recall ever seeing any mention of it before:
Into the hundred thousand range we go. However, this clinic didn’t do anything wrong except annoy us. https://t.co/gAlt5rhOXd
— thedarkoverlord (@tdohack3r) May 4, 2017
“Into the hundred thousand range we go. However, this clinic didn’t do anything wrong except annoy us.”
The .csv-formatted database contains more than 142,000 patients records. And yes, date of birth and SSN were in plain text. There did not appear to be any health insurance information in this particular database.
Wait, What?
Here are a few things to mull over:
None of these three incidents appear on HHS’s public breach tool. Why not? Were they reported to HHS, and if not, should they have been?
Were the patients of these three entities ever notified of the incidents? At least two of these incidents were never disclosed on the victims’ web sites – at least as far as I could determine for Aesthetic Dentistry and OC Gastrocare. Because I did not know about Tampa Bay Surgery Center until today, it’s possible that there had been a notice on that site that I never saw, although I have found no evidence or archived copy anywhere if there was one.
DataBreaches.net has sent some emails to patients of of Aesthetic Dentistry and OC Gastrocare to inquire whether they ever received notification of the breaches. One patient of Aesthetic Dentistry has already responded, but stated that he does not recall whether he ever got any notification from them. Neither Aesthetic Dentistry nor OC Gastrocare responded immediately to emails sent to them today asking if they had ever notified their patients and asking for their reaction to TDO dumping their patients’ data.
This post will be updated if more information becomes available.
None of these three incidents appear on HHS’s public breach tool. Why not? Were they reported to HHS, and if not, should they have been?”
Certainly they should have been reported, and likely were. I’d imagine these breaches are all part of an “ongoing investigation” so our best and brightest federal investigators at the DoJ are likely pulling rank on the best and brightest investigators over at HHS and shutting the door to anyone else and the public on what’s going on. So, I probably wouldn’t expect to see the names of these clinics on the wall of shame or any resolution agreements or corrective action dox for a long time.
Except that the other TDO breaches ARE on HHS’s breach tool – Athens, Peachtree, Midwest…. all on there. I’ve been checking for that all along. And it’s one thing not to reveal it on the “wall,” but another not to notify the patients. I’m trying to find out if notifications were sent, too.
Let’s see how HHS answers my FOI request. If I have to sue them to get an answer, I will. I just hope it doesn’t come down to that, as I’ve never had to sue them before.