Athens Orthopedic Clinic Confirms 'Dark Overlord' AttackData Was Offered for Sale on the Dark Web
A Georgia-based orthopedic clinic has confirmed it's one of the victims of cyberattacks by a hacker calling himself "The Dark Overlord". The hacker recently posted for sale on the dark web copies of databases he claims contain 10 million records stolen from four U.S. healthcare sector organizations. The three other affected organizations have yet to come forward.
In a statement posted on its website, Athens Orthopedic Clinic is alerting patients that it "recently experienced a data breach due to an external cyberattack on our electronic medical records using the credentials of a third-party vendor."
Affected protected health information of current and former clinic patients includes names, addresses, Social Security numbers, dates of birth, telephone numbers and, in some cases, diagnoses and partial medical history, the clinic says in the statement.
Data for Sale
For several weeks, Athens Orthopedic Clinic was suspected as being one of three unidentified U.S. healthcare organizations whose stolen patient data was being offered for sale by The Dark Overlord on The Real Deal underground market on the dark web. Also being offered for sale was data from an unnamed health plan.
"I can confirm that it is our data that 'The Dark Overlord' claims to have taken. We are working with authorities," including law enforcement, an Athens Orthopedic Clinic spokeswoman tells Information Security Media Group.
She declined to name the third-party vendor whose credentials were compromised. The spokeswoman also declined to estimate how many patients were affected by the breach, adding that the clinic is in the process of notifying each affected individual. The organization plans to report the breach to the U.S. Department of Health and Human Services once patient notification is completed, she says.
The stolen database that is suspected of belonging to Athens Orthopedic Clinic had been touted by The Dark Overlord on the dark web as containing plaintext data of 397,000 patients of a Georgia healthcare organization, which was "retrieved from an accessible internal network using readily available plaintext usernames and passwords." (See Here's How a Hacker Extorts a Clinic.)
The hacker had been offering the stolen data from the four attacked healthcare sector organizations - including the clinic - for prices ranging from about $96,000 to $490,000 in bitcoin for each database. However, the hacker also left a note on the dark web that appears to indicate that the attacker attempted to extort payments from the entities before putting the data up for sale on the dark web.
The Athens Orthopedic Clinic spokeswoman declined to comment on whether the attacker had demanded a ransom or whether the clinic had paid one. The clinic also does not have any indication of whether any of the stolen data has been used for fraudulent purposes, she says.
In a July 25 statement to patients, Kayo Elliott, CEO of the clinic, says: "We are taking all necessary measures to ensure that any resulting damage is limited to the extent possible and working to retain your trust in our practice."
Although the clinic did not say it would offer free credit monitoring, it is advising that patients contact credit reporting agencies to create a fraud alert. "A team of cybersecurity experts and others continue to work hard to prevent any further breach, while we continue with our regular patient appointments and care," Elliott says.
While healthcare organizations are increasingly battling ransomware attacks, which involve hackers demanding a ransom to unlock data that they've encrypted, cybercriminals threatening to expose stolen data has been a longtime problem, some experts say.
"Before ransomware - holding data hostage was common," says Tom Walsh, founder of the consulting firm tw-Security. These kinds of attacks will continue "as long as organizations continue to pay the ransom demands," adds Keith Fricke, principal consultant at tw-Security.
Healthcare entities are sometimes more willing to pay extortionists to retrieve or unlock data than organizations in other industries because of the real-time nature of patient care and the sensitivity of health information, security experts say.
"The hacker community understands the motivation of healthcare to 1) focus on patient safety; and 2) care about patient confidence and loyalty, both of which are undermined by their being hacked and exploited by cybercriminals," says Mac McMillan, CEO of security consulting firm CynergisTek. "A motivated victim is more likely to pay."
Steps to Take
Healthcare entities - as well as their vendors - can take measures to help minimize the risk of having their data stolen. "Remote access, especially for individuals with elevated privileges, should use two-factor authentication. Criminals try to compromise credentials with elevated privileges," Fricke notes.
"Proactive event log monitoring and alerting is critical. Once criminals gain a foothold in a network, they are there for just over 200 days on average before being detected," he says. "That provides plenty of time to steal data and demand a ransom for it."
McMillan suggests that for business associates that have access to patient data, provider organizations should "restrict vendor access to specific platforms and systems and require two-factor authentication for all vendors who access your environment directly."
Steps to make an organization more resilient, McMillan says, include improving network, system and application integrity; testing the environment externally and internally; applying advanced malware detection solutions; enhancing system monitoring and auditing; reviewing, updating and practicing incident response; improving user training and awareness activities; implementing vendor security management; and having solid disaster recovery plans.
The ability to carry out contingency plans - including having strong data backup plans - can be a critical factor in how well an organization responds to and recovers from a cyberattack, including those involving extortion attempts.
A study conducted by the Department of Health and Human Services' Office of Inspector General between May and July 2015 found that more than half of 400 hospitals surveyed reported that they had suffered "an unplanned EHR disruption" in the year preceding the survey, according to a newly released OIG report. About a quarter of those suffering disruptions reported they experienced delays in patient care as a result.
Those disruptions include natural disasters, technical malfunctions and cyberattacks that can make EHR data unavailable to hospital staff. All the hospitals OIG surveyed had received Medicare incentive payments under the HITECH Act for using a certified EHR system.
OIG says that almost all hospitals that received Medicare incentive payments for using certified EHRs reported that they maintain a written EHR contingency plan.
Two-thirds of hospitals surveyed said their contingency plans addressed all four of the HIPAA requirements OIG reviewed, including having a data backup plan, a disaster recovery plan, an emergency-mode operations plan and testing and revision procedures.
"Persistent and evolving threats to electronic health information reinforce the need for EHR contingency plans," the OIG notes.