TheDarkOverlord is a hacking group that has been involved in many high-profile cases in recent months, from allegedly accessing the British Royal family’s healthcare information to accessing private user from medical centres, schools, and even Netflix, the online streaming giant. The primary motivation for their attacks is extortion of those whose data they have stolen. After a period of reduced activity, the group has recently announced another successful attack on a U.S. healthcare provider, Massachusetts based SMART Physical Therapy (SMART PT).
The hack reportedly occurred on September 13, 2017, with the announcement of the data theft disclosed by TheDarkOverlord on Twitter on Friday 22, 2017. The group gave no details on how they manged to access the medical center’s data. Following a short initial investigation, the data breach information website, databreaches.net, surmised that the attack took advantage of the use of weak passwords on the medical center’s servers. This initial investigation further reported that SMART Physical Therapy’s entire database of patient information was stolen in the attack.
Databreaches.net was provided with the patient database, which it used to confirmed the authenticity of the attack. The database contained a wide range of information on 16,428 patients, including contact information, dates of birth and Social Security numbers.
This was an extortion attempt and a demand for payment in Bitcoin was reportedly sent to SMART PT, although no payment has been made. SMART PT spokesperson Joanne Ponte confirmed to databreaches.net that they refuse to communicate with criminals and give in to the extortion demands, and therefore the Bitcoin payment to the organisation will not be made. TDO has yet to respond to this defiant statement.
TDO was responsible for several hacks of healthcare organizations over the past two years, including Ca-based Dougherty Laser Vision, Little Red Door Cancer Services of East Central Indiana, Hand Rehabilitation Specialists, Tampa Bay Surgery Center, OC GastroCare, Aesthetic Dentistry and Athens Orthopedic Clinic. In several cases, the failure to respond to emails and the refusal to give in to the extortion demands has resulted in patient data being dumped online and freely accessible to anybody with an internet connection.
Since the attack only occurred in the past few days, the incident has yet to be reported to the Department of Health and Human Services’ Office for Civil Rights and patients have not yet been notified of the breach. According to HIPAA’s Breach Notification Rule, the affected patients must be informed within 60 days of the breach having been discovered. SMART PT is currently investigating the breach and is implementing its breach response protocol.