On September 22, 2016, Peachtree Orthopedics in Atlanta, Georgia, announced their system had been hacked and up to 531,000 people were potentially vulnerable to identity theft. Most were patients. According to the notice posted on the Peachtree website in September by Peachtree CEO Mike Butler:
“We regret to inform you that on September 22, 2016, we confirmed an unauthorized intrusion into our computer system. We took immediate action and are working closely with forensic experts and the FBI to investigate and address the situation. While our investigation is ongoing, we have found evidence indicating that information such as patient names, home addresses, email addresses, and dates of birth was potentially taken. In some cases, the patient’s treatment code, prescription records, or social security number may also have been taken.”
It’s unclear when the actual data breach happened—Peachtree’s official announcement simply states that September 22 was the “announcement date.” Butler’s announcement also states that patients of Peachtree prior to July 2014 may be affected and that “a small number” of patients after that date may also be victims of the hack. As a consolation prize, Butler offers one year of free identity protection services to affected Peachtree patients. Butler’s announcement was also mailed to all potential victims, which totals over half a million at 531,000. The offer of free ID protection services includes credit monitoring to keep an eye out for signs of identity theft.
Peachtree isn’t the first Atlanta-based orthopedics group to be targeted by hackers in 2016. Athens Orthopedic Clinic, also in Atlanta, says they were hacked by TheDarkOverlord (TDO), a hacking group, around June 14, 2016. Athens didn’t notice the breach until June 27, according to The Athens-Banner Herald. In the Athens hacking case, similar records were stolen as well as some diagnoses and medical records. Athens Orthopedic says hackers gained access by using “third-party vendor credentials” to log into the system. Hackers claimed they were a “nationally-known health care information management contractor.” Athens Orthopedic estimates that the breach may have affected around 200,000 current and former patients.
TheDarkOverlord Strikes Again
TDO claimed responsibility for the Peachtree hack on October 13, 2016. The TDO press release revealed some Peachtree patient information, including a link to an “internal document dump.” The dump tactic and patient information teaser is a hacking group strategy to pressure organizations into paying an extortion ransom. The October 13 TDO statement says, “We went to Peachtree Orthopedics—like Athens Orthopedic—and proposed a solution to the dilemma. We have data that they don’t want us to have. With us both running a business, we hoped for a speedy resolution so we can go our separate ways—it was anything but.”
TDO targets healthcare organizations, likely because clinics are responsible for sensitive patient information. Like financial institutions, healthcare organizations house some of the most vulnerable information imaginable: health records. TDO claims to contact their victims (including Peachtree) to warn them about computer vulnerabilities, offering to fix them for a fee. If the thinly veiled ransom isn’t paid, TDO threatens to sell sensitive information on “the dark web.” The dark web is where illegal activity runs rampant online, and this world is not accessible via traditional search engines like Google.
According to TDO, the hacking group “acquired 543k patient records which contain both Personally Identifiable Information (PII) and Protected Health Information (PHI)…Oh, the things we could do with so much data!” However, what’s especially interesting in the TDO press release and link dump teaser is that some of the files were acquired in mid-May 2016. Why did it take so long for Peachtree to announce the hack? Why wasn’t the breach confirmed until September 22?
“Dump”ster Diving
The contents of TDO’s Peachtree “dump” is random and sporadic at best. It includes tax return documents, personal information of both staff and patients, insurance billing codes, and an interesting file called “CV of doctor to ransom.pdf.” Login information, including both usernames and passwords, for various healthcare sites like Aetna and AARP are also included in the dump.
Peachtree made the official report to the U.S. Department of Health and Human Services (HHS) on November 18, 2016. According to the HHS report, the 531,000 “people at risk” live in five different counties. Peachtree’s hack was the biggest in Georgia for 2016 and was the sixth largest in the U.S. (in terms of people put at risk). Notable potential victims include Atlanta Hawks current members, Braves former players, FBI agents, and other government civil servants.
Health (Record) Matters
On the dark web, medical records are extremely valuable. Many people think social security numbers (SSN) are where the illegal profits are, but today SSNs cost a few cents each. Medical records can sell for up to $5 apiece on the dark web. Steven Grimberg, Assistant U.S. Attorney at the Department of Justice, says the dark web is “user-friendly, like Amazon or eBay. You can go on there and take your pick as to what kind of information you want.”
Anyone who’s completed a medical form knows exactly how sensitive that information can be. Simultaneously, healthcare organizations are lagging other industries when it comes to transitioning to digital records—and they’re being pressured into transitioning faster. Electronic health records (EHRs) are challenging because they must still apply by HIPAA (Healthcare Insurance Portability and Accountability Act) laws. EHRs can update patient records in real-time and are instantly available to authorized users, maximizing convenience. However, EHRs, like any digital record, may also be hacked by unauthorized users. In some regards, EHRs are easier to steal than hard copy medical records.
According to the HealthIT.gov website, today’s EHRs might “contain a patient’s medical history, diagnoses, medications, treatment plans, immunization dates, allergies, radiology images, and laboratory and test results.” It’s illegal under the Americans with Disabilities Act (ADA) for a prospective employer to ask about a candidate’s health records, including HIV status, or disability before a job offer. However, with health records stolen and sold on the dark web, it’s feasible for anyone (potential employer included) to discover a victim’s diagnosis and health status.
By the Numbers
The HHS Office for Civil Rights lists almost 300 medical data breaches impacting over 500 people in 2016. Grimberg says these kinds of breaches are a challenge because “It’s very different than 20, 30 years ago, when you had very clear footprints and fingerprints all over the criminal activity. Now it’s very easy to mask your criminal activity on the internet.”
Still, most websites tout incredible vulnerabilities. The 2016 WhiteHat Security “Website Security Statistics Report” notes that 86% of all websites have at least one “serious vulnerability.” In the healthcare industry, WhiteHat estimates that 47% of sites are “always vulnerable” and just 10% are “rarely vulnerable 30 days or less per year.” While average vulnerabilities range widely per industry (the lowest is manufacturing at five vulnerabilities on average per site, while IT is the highest at 32 vulnerabilities on average per site), WhiteHat’s report specifically states, “Regulated industries, such as financial services and healthcare, are not performing significantly better or worse than the rest.” On average, WhiteHat estimates healthcare sites have five serious vulnerabilities per site and 12 general vulnerabilities per site.
The length of time vulnerabilities stay on a site also varies by industry. Information technology has the most at 875 days per average, but healthcare averages 406 days—that’s well over a year that each vulnerability stays on sites. Healthcare industries also average remediation rates below 50% according to WhiteHat. Still, that’s an improvement of 26% to 44% for healthcare in the past two years.
It’s unsurprising that Peachtree hasn’t publicly stated their strategy for handling TDO. However, a Peachtree statement notes they are “working closely with outside experts as part of an ongoing review of (our) security measures.”
How Can Healthcare Sites Stay Safe?
There’s no absolute guarantee that any digital records will remain protected. After all, hackers got into the Department of Justice portal and downloaded 200GB of data earlier in 2016. Thousands of government employees and FBI agents had their records stolen. However, numerous analyses over major breaches like Heartbleed bug have shown that the clear majority of websites could benefit from a serious security overhaul.
Following security best practices, auto-downloading updates and patches, and keeping up with the latest security technology is the trifecta of keeping websites and online data safe. Online security is like antibiotics: The stronger an antibiotic is, the stronger the next virus strain will be. Both web security and hackers will adapt to the latest challenges.
Best practices for website security include multi-factor authentication (i.e., using more than just one way to authenticate entry, such as multiple passwords), ensuring passwords are complex and changed at least once per month, and never logging into sensitive websites away from established home or work networks. Advanced authentication, such as eye vein and fingerprint scans, are also becoming popular, although there are concerns of security with these authentication approaches as well.
From configured firewalls to the latest anti-malware and anti-virus software, there are numerous avenues for increasing the security of a site. Unfortunately, most website developers, managers, and owners don’t keep pace with best practices or the latest technology.
For now, TDO appears to be waiting for Peachtree’s next move. TDO’s self-chosen moniker is a nod to a powerful alien in the Marvel universe. Part of an ancient race of world dominators, the fictional Dark Overlord seeks revenge while waiting for the perfect time to reclaim domination. With Peachtree as a pawn, TDO exemplifies another occasion of life imitating art.
