After a seemingly prolonged period of inactivity, the hacking group TheDarkOverlord has revealed another attack on a U.S. healthcare supplier, Mass-based SMART Physical Therapy (SMART PT).
The hack reportedly happened on September 13, 2017, with the announcement of the data theft released by TDO on Twitter on Friday 22, 2017. No details were given as to how access to the data was gained, although it was revealed to databreaches.net that the attack took advantage of the use of fragile passwords. The entire database of patients was reportedly obtained.
Databreaches.net was provided with the patient database and has was able to confirm that the attack was genuine. The database held a wide range of data on 16,428 patients, including contact information, dates of birth and Social Security numbers.
This was an extortion attempt and a demand for payment of a ransom in Bitcoin was reportedly sent to SMART PT, although no payment has been given, nor will it be. SMART PT spokesperson Joanne Ponte told databreaches.net that they refuse to negotiate with criminals and give in to extortion demands.
TDO was to blame for several hacks of healthcare organizations over the past two years, including Ca-based Dougherty Laser Vision, Little Red Door Cancer Services of East Central Indiana, Hand Rehabilitation Specialists, Tampa Bay Surgery Center, OC GastroCare, Aesthetic Dentistry and Athens Orthopedic Clinic, to name but a few. In several instances, the failure to answer emails and the refusal to give in to the extortion demands has lead to patient data being dumped online.
Since the attack only happened in the past few days, the incident has yet to be filed to the Department of Health and Human Services’ Office for Civil Rights and patients have not yet been advised of the breach. SMART PT is currently reviewing the breach and is implementing its breach response measures. Further information on the incident can be downloaded here.