[BreachExchange] Stolen medical records may be for sale

Audrey McNeil audrey at riskbasedsecurity.com
Tue Aug 16 19:26:06 EDT 2016


http://chronicle.augusta.com/news/crime-courts/2016-08-16/
stolen-medical-records-may-be-sale#

The hacker who infiltrated Athens Orthopedic Clinic’s computer system and
gained access to more than 200,000 patient records is being identified in
published reports as “The Dark Overlord,” who claims to have broken into a
number of healthcare databases and obtained millions of personal records.

At least some of those records, those reports say, were offered for sale on
the so-called “dark web,” an internet network not indexed by search engines
like Google, for payment via Bitcoin, a digital payment system that
bypasses traditional banking institutions.

The records are valuable for the personal information they contain, which
in the case of the Athens Orthopedic hack, according to a letter from the
clinic to its current and former patients, includes names, addresses,
Social Security numbers, birth dates, telephone numbers and, in some cases,
diagnoses and medical histories. Much of that information can facilitate
identity theft, leading to credit card fraud and other financial and
personal difficulties for victims.

According to InfoSecurity magazine online, just part of the recent hacks
attributed to The Dark Overlord could net the hacker (or hackers, as some
outlets suggest that The Dark Overlord may refer to a group of people)
“upwards of a half a million dollars.”

According to media and online sources, at least some of the Athens
Orthopedic records may, in fact, be among the records already offered for
sale by The Dark Overlord. The Web site Healthcare IT News, quoting a
Seattle law firm that is soliciting interest in a class-action lawsuit
against Athens Orthopedic, reported recently that approximately 500 of the
records obtained in the Athens Orthopedic hack have been put up for sale on
the internet. That data came, in turn, from databreaches.net, a blog
dedicated to detailed reporting on data breaches like the Athens Orthopedic
Clinic hack.

Thus far, all Athens Orthopedic has said about the hack is that it occurred
on June 14, was first noticed on June 27 and confirmed several days later.
The clinic says it then began working to determine which of its patients
were affected by the breach and subsequently began to check for correct
addresses before mailing the letters out, as required by federal law, in an
effort that concluded early last week.

Additionally, the clinic confirmed, as some early information on the hack
noted, that it was asked for a “ransom” to prevent release of the data. In
a prepared statement issued Friday through the clinic’s CEO, Kayo Elliott,
the clinic notes the data breach was the work of “a hacker who has
attempted to extort the Clinic for ransom money.”

Details of that ransom request have not been made available, and Athens
Orthopedic indicated it is working with the FBI in connection with the data
breach.

In the Friday statement, the clinic reiterated it was working with
information technology and security experts prior to the breach “to
maintain, test and improve its system,” and that immediately upon learning
of the breach, Athens Orthopedic Clinic “began working with a cyber
security team to determine the source and extent of the breach.”

According to the clinic, the hacker gained access to its digital database
by using the log-in credentials of an unidentified “third-party vendor”
which was subsequently terminated by the clinic. The clinic identified the
third-party vendor only as a “nationally known health care information
management contractor.”

“To find ourselves the victim of a sophisticated crime like this is
extremely unfortunate and challenging,” the clinic’s Friday statement
quotes Elliott as saying, “especially given the impact it is having on our
patients. Our emphasis right away was to ensure the patient records at AOC
are safe, and continue to provide the high-quality patient care our
communities depend upon.”

Because the data breach at Athens Orthopedic Clinic involved more than 500
patients, the clinic was required to report it to the U.S. Department of
Health and Human Services under terms of the 2009 federal Health
Information Technology for Economic and Clinical Health Act.

According to the HHS’s HITECH Act database, the Athens Orthopedic hack,
which the clinic says affected 201,000 current and former patients, is the
fifth-worst healthcare data breach thus far in 2016.

According to the HITECH database:

• A March-reported breach at Florida’s 21st Century Oncology involving the
hacking of a computer server affected 2,213,597 patient records;

• A February-reported breach at Florida’s Radiology Regional Center related
to the loss of paper and film records affected 483,063 patients;

• A May-reported incident involving a laptop theft compromised the records
of 400,000 people associated with California Correctional Health Care
Services;

• A March-reported incident at Indiana’s Premier Healthcare resulting from
the theft of a laptop affected 205,748 people.

Also according to the HITECH database, 30 reportable breaches occurred in
July alone, and five breaches were reported since the Athens Orthopedic
breach was posted to the Health and Human Services Web site.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160816/195d837a/attachment.html>


More information about the BreachExchange mailing list