HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Athens Orthopedic Clinic Confirms Cyberattack: TDO Dumps More Data

Athens Orthopedic Clinic has confirmed that its patients have been impacted by a cyberattack which was conducted using the login credentials of one of its software vendors. Electronic medical records of current and former patients were breached according to the notice on the healthcare provider’s website.

While the substitute breach notice did not explain the exact nature of the attack nor the number of patients affected by the breach, the incident to which the breach notice refers is the cyberattack conducted by TheDarkOverlord.

Athens Orthopedic Clinic is the Georgia healthcare provider from which 397,000 records were stolen. In addition to patient data being offered for sale on darknet marketplace, TheRealDeal, more data have been recently dumped on data sharing website Pastebin.

The records of 500 patients were initially disclosed by TDO for verification purposes. A further 509 records have recently been uploaded to Pastebin. The posting, which is still accessible, includes names, genders, ages, dates of birth, client type, social security numbers, addresses, and other raw data. While not posted to Pastebin, the data stolen in the attack also included some medical data such as x-ray images, partial medical histories, and medical diagnoses.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

The posting was accompanied with the message “Athens Orthopedic Clinic (Athens, GA, United States) Patients PII/PHI – Pay the f**k up, Kayo Elliot, CEO.” TheDarkOverlord also said in the message, “Kayo Elliot, CEO, can protect all of his 397,000 patients for less than $1 per record, he has the option to safeguard all of his patient’s record.” The message goes on to say “Would you want him to pay if it were your records that needed protecting?”

Athens Orthopedic Clinic has succeeded in getting one of the posts removed and efforts are ongoing to remove the posting containing the second data dump.

The breach notice posted on the Athens Orthopedic Clinic website suggests patients should obtain credit reports and check for any sign of suspicious activity. The clinic is in the process of notifying patients of the breach by mail. Breach notifications were scheduled to be mailed today now that patient contact information has been verified. The Department of Health and Human Services’ Office for Civil Rights will be notified of the breach in due course.

Athens Orthopedic Clinic has taken steps to protect against future data breaches and has retained the services of a cybersecurity firm, which will be making recommendations on how cybersecurity protections can be improved. According to the breach notice, some of those measures have already been implemented.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.