Overnight, TheDarkOverlord announced another hack, leaking some patient data into their Twitter timeline.
We’re upping the heat on Hollywood. It’s time for another round. This time: something a little different.
— thedarkoverlord (@tdohack3r) June 21, 2017
We’re upping the heat on Hollywood. It’s time for another round. This time: something a little different.
The data that they dumped appear to be from Dougherty Laser Vision, and includes the names, date of birth, telephone numbers, and postal addresses of nine celebrities who gave the center their endorsement.
Enter: Beverly Hills Dougherty Laser Vision https://t.co/gNUc8bUEKh
We love PII. Especially PII of celebrities.
— thedarkoverlord (@tdohack3r) June 21, 2017
In some cases, the celebrities’ Social Security numbers were also dumped on Twitter.
Nothing in the tweets specifically mentions extortion or whether Dougherty Vision had refused to pay any extortion. There is no statement on the center’s web site at the time of this posting, and there is nothing on their web site that seems to specifically refer to HIPAA, although they do take medical insurance. If they are a HIPAA-covered entity, this incident will need to be reported to HHS, but even if they are not covered by HIPAA, this incident will almost certainly have to be reported to the California Department of Public Health as well as the California Attorney General’s Office. Other states may also be notified because not all patients appear to reside in California.
Not surprisingly, TDO has not provided any information about how they were able to gain access to the database. Nor is it clear whether they will be dumping all the patient data they may have acquired. These tweets may have simply been a warning to/pressure on Dougherty to pay up or have the rest of the data dumped publicly, although that’s just speculation based on their past M.O.
This post will be updated if more information becomes available.
UPDATE 1 – June 22: So far, Dr. Dougherty has not responded to an email inquiry sent through their site’s contact form yesterday. The inquiry asked them when they became aware of the hack, because in an encrypted interview, TheDarkOverlord claimed that “they’ve hid it for many months.” As of this morning, there is nothing on Dougherty’s web site, nothing in their Twitter timeline, and no press release or substitute notice that might confirm or dispute TDO’s claim. Not surprisingly, TheDarkOverlord also stated that, “Laser Vision refused our most handsome business proposal.”
DataBreaches.net will continue to try to obtain additional information about this incident as well as information about a second claimed hack by TheDarkOverlord involving Coliseum Pediatric Dentistry in Hampton, Virginia. They, too, TDO claims, did not accept TDO’s “handsome business proposal,” and it appears that they, too, have not posted anything on their site about any breach nor (yet) responded to an inquiry from DataBreaches.net asking whether they have notified their patients and regulators.
Unlike the Dougherty Laser Vision situation, TDO did not dump any Coliseum Pediatric Dentistry patient data on Twitter, although they did provide this site with a sample of patient data to allow verification of claims. That sample included patient records with name, address, telephone number, date of birth, and Social Security number, all in plain text. The records may have been parents’ records as the date of birth would generally make the patient too old to be considered a “pediatric” patient.
DataBreaches.net will provide updates as more information is obtained.
Update 2 – June 23: DataBreaches.net has still received no responses from Dougherty Laser Vision and Coliseum Pediatric Dentistry, but was able to verify the data TheDarkOverlord provided as a sample from the dental group. A patient reached by DataBreaches.net confirmed that the name, date of birth, and Social Security number in her record were accurate.
When asked whether Coliseum Pediatric Dentistry/Hampton Roads Pediatric Dentistry had contacted her to alert her to the breach, she replied that they hadn’t.
DataBreaches.net has today filed public records access requests with HHS for any reports filed by either Dougherty Laser Vision or Coliseum Pediatric Dentistry.