180,000 Patient Records Dumped Online by The Dark Overlord

It is a nightmare scenario far worse than a ransomware attack. A hacker infiltrates your network, steals patient data and then threatens to publish those data if you do not pay a ransom.

That is the modus operandi of TheDarkOverlord, who conducted numerous attacks on healthcare organizations over the past few months. Sizable ransom demands were issued – which TDO referred to as ‘modest’ – with threats issued to sell or publish the data if the victims refused to pay or ignored the requests. Many healthcare organizations chose not to pay up.

TDO has now made good on his/her promise and has published the data of more than 180,000 patients online, several months after the attacks occurred.

Aesthetic Dentistry of New York City, OC Gastrocare of Anaheim, CA, and Tampa Bay Surgery Center in Tampa, FL have all had highly sensitive patient data published online last week . The data of 3,496 patients of Aesthetic Dentistry, 34,100 patients of OC Gastrocare, and 134,000 patients of Tampa Bay Surgery Center can now be freely downloaded. A link to the website where the data were dumped was sent out by TDO on Twitter last week.

At least nine healthcare organizations are known to have been attacked by TDO last year according to databreaches.net, which has been tracking the TDO attacks.

Some of those organizations have had their patient data listed for sale on the darknet marketplace, TheRealDeal. TDO claimed last year that buyers had been found for some of the stolen data. It is unclear whether attempts were made to sell the 180,000 patient records and no buyers could be found, hence the publication of the data.

None of the organizations impacted by the latest data dump have submitted breach reports to the Department of Health and Human Services’ Office for Civil Rights, although some of the other victims of TDO have issued breach reports to OCR and have notified their patients.

Extortion attempts – either using ransomware or threats of publication of data – have now become commonplace. The FBI recommends never paying a ransom demand as it only encourages further attacks. There is also no guarantee that payment of the ransom demand will see decryption keys issued or stolen data permanently and securely deleted.

It is likely that many patients whose data are stolen would also feel the same way about payment of the ransom demand. However, regardless of whether a ransom is paid, patients should be notified and allowed to take precautions to protect their identities and financial accounts. Failure to notify patients of such a data breach would be a violation of HIPAA Rules, and could see the organization in question issued with a sizable fine for non-compliance.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.