Share this article on:
Athens Orthopedic Clinic has confirmed that its patients have been impacted by a cyberattack which was conducted using the login credentials of one of its software vendors. Electronic medical records of current and former patients were breached according to the notice on the healthcare provider’s website.
While the substitute breach notice did not explain the exact nature of the attack nor the number of patients affected by the breach, the incident to which the breach notice refers is the cyberattack conducted by TheDarkOverlord.
Athens Orthopedic Clinic is the Georgia healthcare provider from which 397,000 records were stolen. In addition to patient data being offered for sale on darknet marketplace, TheRealDeal, more data have been recently dumped on data sharing website Pastebin.
The records of 500 patients were initially disclosed by TDO for verification purposes. A further 509 records have recently been uploaded to Pastebin. The posting, which is still accessible, includes names, genders, ages, dates of birth, client type, social security numbers, addresses, and other raw data. While not posted to Pastebin, the data stolen in the attack also included some medical data such as x-ray images, partial medical histories, and medical diagnoses.
The posting was accompanied with the message “Athens Orthopedic Clinic (Athens, GA, United States) Patients PII/PHI – Pay the f**k up, Kayo Elliot, CEO.” TheDarkOverlord also said in the message, “Kayo Elliot, CEO, can protect all of his 397,000 patients for less than $1 per record, he has the option to safeguard all of his patient’s record.” The message goes on to say “Would you want him to pay if it were your records that needed protecting?”
Athens Orthopedic Clinic has succeeded in getting one of the posts removed and efforts are ongoing to remove the posting containing the second data dump.
The breach notice posted on the Athens Orthopedic Clinic website suggests patients should obtain credit reports and check for any sign of suspicious activity. The clinic is in the process of notifying patients of the breach by mail. Breach notifications were scheduled to be mailed today now that patient contact information has been verified. The Department of Health and Human Services’ Office for Civil Rights will be notified of the breach in due course.
Athens Orthopedic Clinic has taken steps to protect against future data breaches and has retained the services of a cybersecurity firm, which will be making recommendations on how cybersecurity protections can be improved. According to the breach notice, some of those measures have already been implemented.