Extortion Attempt on Sports Medicine Provider Exposes Private Data of 7,000 Individuals

Sports Medicine & Rehabilitation Therapy (SMART), based in Massachusetts, has contacting 7,000 clients regarding a breach of their protected private health information that occurred in September 2017.

Potentially, the breach impacted all clients whose data was saved during a visit to a SMART outlet prior to December 31, 2016.

Hackers, in an extortion attempt, accessed SMART systems, allegedly stole private information, and asked for a ransom payment to prevent the information from being made available online.

It was not confirmed, in the breach notification letters, if the ransom was paid, although SMART has told its clients that there is “no reason to believe that the data has been or will be used for further nefarious purposes.”

The matter has been reviewed by the FBI and Homeland Security although the specific details of the investigations have not been revealed. An attempt was made by SMART to see a copy of the police investigation report through the Freedom of Information Act, although at the time the notifications were sent, no copy had been received b y the organization.

The information potentially obtained by the hacking group did not include financial information or Social Security numbers, but insurance numbers and diagnostic codes were among in the stolen data set.

The North Carolina Department of Health and Human Services saw that a spreadsheet listing the protected health information of approximately 6,000 individuals was accidentally sent to a vendor in an unencrypted email format. The breach was first seen on September 27, 2017.

The vendor who was sent the information in error was contacted and advised as to how they could securely delete the spreadsheet. NC DHHS has confirmed that the spreadsheet has been securely deleted by the vendor, although affected clients have been informed that potentially, the email could have been obtained in transit by unauthorized people. The risk of interception of the email or the misuse of any information in the spreadsheet is believed to be minimal.

The spreadsheet held information including names, test results, and Social Security numbers of clients who had undergone routine drug screening tests. The tests were completed on clients who had applied to NC DHHS for employment or intern and volunteer vacancies.

NC DHHS is currently finishing a review security measures to prevent similar incidents from being encountered in the future.

Author: Maria Perez