Tampa Bay Surgery Center Notifies 26,000 of PHI Theft

Share this article on:

Tampa Bay Surgery Center has started notifying almost 26,000 patients that some of their protected health information was stolen by an unauthorized individual who subsequently posted the information on a file sharing website.

Law enforcement contacted Tampa Bay Surgery Center on May 5, 2017 alerting the healthcare provider to the data dump. The file had been uploaded to the file sharing website the previous day. The file contained sensitive data that had been obtained from a database maintained by Tampa Bay Surgery Center. Data stolen and exposed online by the malicious third party included the full names of patients along with dates of birth, home addresses and social security numbers. A link to the file was also distributed on Twitter by the individual who claimed to have stolen the data.

Tampa Bay Surgery Center has notified the Department of Health and Human Services’ Office for Civil Rights of the breach. The breach report indicates 25,848 patients were affected by the incident. Those individuals are being offered identity theft protection services without charge, although patients have been informed that no evidence has been uncovered to suggest any of the stolen protected health information has been misused.

An investigation into the breach is ongoing and processes and procedures are being updated to ensure similar incidents do not occur in the future.

While the breach will come as news to many patients, the incident was reported in May by Databreaches.net, which has been following the activities of the individual/group responsible for the attack – The Dark Overlord (TDO). TDO has conducted numerous attacks on healthcare organizations over the past few months.

TDO steals data, threatens to publish the information online and advises organizations that they can stop the data dump by paying a ransom. If the ransom is paid, TDO claims data will not be released online. As has happened on numerous occasions already, if the ransom demand is not paid or the request is ignored, data are published. TDO was behind attacks on OC Gastrocare, Aesthetic Dentistry, Dougherty Laser Vision, Peachtree Orthopedics, Midwest Orthopedic Pain & Spine, Athens Orthopedic Clinic and many others, including an unnamed third-party health insurer from which 9.3 million records were stolen.

According to Databreaches.net, the data dump appeared to include 142,000 records. The tweet sent by TDO, from an account that has subsequently been suspended, was ““Into the hundred thousand range we go. However, this clinic didn’t do anything wrong except annoy us.” The file has since been taken down and is no longer accessible online.  

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On