Hacking group TheDarkOverlord, after an apparent period of inactivity, has claimed responsibility for another successful attack on a U.S. healthcare supplier. This time the victim was Mass-based SMART Physical Therapy (SMART PT).
The announcement of the data theft was disclosed by TDO on Twitter on Friday 22, 2017, with the hack reportedly happening on September 13, 2017. No details about how access to the data was gained were provided, although it was confirmed to databreaches.net that the attack took advantage of the use of weak passwords. The entire database of patients was reportedly obtained.
Databreaches.net was provided with the information held on the patient database and has confirmed that the attack is genuine. The database included a wide variety of data on 16,428 patients, including patients contact details, dates of birth and Social Security numbers.
A demand for payment in Bitcoin was reportedly sent to SMART PT as part of an extortion attempt. SMART PT spokesperson Joanne Ponte confirmed to databreaches.net that they refuse to communicate with criminals and give into extortion or ransom demands.
TDO was ro blame for many hacking attacks on healthcare providers over the past two years, including Ca-based Dougherty Laser Vision, Little Red Door Cancer Services of East Central Indiana, Hand Rehabilitation Specialists, Tampa Bay Surgery Center, OC GastroCare, Aesthetic Dentistry and Athens Orthopedic Clinic, among others. In a few cases, the failure to respond to emails and the refusal to give in to the extortion demands has resulted in patient data being made publicly available online.
Since the ransomware attack only occurred recently, the scam has yet to be made known to the Department of Health and Human Services’ Office for Civil Rights and patients have not yet been provided with details of the breach. SMART PT is currently reviewing what happened and is following its internal breach response protocol.
Further information on the incident can be seen here.