Cyber Incident Victim: Peachtree Orthopedics

On April 20, 2023, Peachtree Orthopedics determined that an unauthorized party had gained access to limited systems within its computer network. The clinic immediately initiated an investigation into the incident, engaging third-party specialists to assist in determining the full nature and scope of the situation. Law enforcement agencies were also notified of the breach. The investigation remained ongoing at the time of the public notification, and the clinic could not rule out the possibility of unauthorized access to certain information for certain individuals. The types of information that were potentially affected varied by individual but could include a combination of name, address, date of birth, driver’s license number, Social Security number, medical treatment and diagnosis information, treatment cost information, financial account information, and health insurance claims or provider information.

The threat actor group Karakurt added Peachtree Orthopedics to its data leak site on or about May 12, 2023. The group made inconsistent claims regarding the amount of data exfiltrated, with one part of its post referencing 181 GB of data and another part claiming to possess 194 GB. Karakurt also claimed the stolen information included many records with Social Security numbers, almost 1,000 credit cards, other detailed personal information, medical records, and a significant amount of corporate data. Despite these claims by the threat actors, the official notice from Peachtree Orthopedics did not confirm that any patient data was actually exfiltrated; it only stated the clinic could not rule out unauthorized access for certain individuals. Neither the clinic nor the threat actors disclosed the number of patients whose protected health information may have been involved, nor did they reveal the specific start date of the attack or when abnormal network activity was first discovered.

In its response to the incident, upon discovery of the unauthorized access, Peachtree Orthopedics changed account passwords and implemented additional security measures designed to further protect information and reduce the risk of a similar incident occurring in the future. The clinic’s public notice, dated May 12, 2023, and posted on its website, did not offer any credit monitoring or identity protection services to affected patients at that time. It instead provided advice to patients on how to protect themselves and established a dedicated call line at 888-601-3774 for individuals with questions or who wished to determine if their information was potentially affected.

This 2023 incident represents at least the third time patient data from Peachtree Orthopedics has been involved in a cybersecurity event within a seven-year period. The first known incident occurred in 2016 and was a massive hack and extortion attempt by the threat actor group thedarkoverlord. This breach affected approximately 531,000 patients. An investigation revealed that the compromise originated from an Illinois-based business associate, which was used to gain access to several medical entities, including Peachtree Orthopedics. The protected health information involved in that incident included names, addresses, dates of birth, Social Security Numbers, and some clinical information. Following that breach, Peachtree Orthopedics ended its relationship with the implicated business associate and retained a third-party IT security firm to perform a forensic evaluation. The clinic implemented several additional technical safeguards, including a new intrusion detection system, improvements to its firewall, a reset of all user passwords, upgrades to its anti-virus software, additional monitoring of user activity, and the implementation of multi-factor authentication for remote users. As a result of an investigation by the U.S. Department of Health and Human Services' Office for Civil Rights (OCR), the clinic also completed a new risk analysis and provided breach notifications to HHS, affected individuals, the media, and on its website.

A second incident occurred in 2021 and was again attributed to a business associate. Peachtree Orthopedics reported this breach to HHS in January 2022, stating that its business associate had experienced a ransomware attack that affected the electronic protected health information of 53,686 individuals. The data involved in this event included names, dates of service, and other treatment information. This breach was consolidated into an existing compliance review of the business associate by OCR. Publicly available information suggested this attack may not have been a direct attack on Peachtree’s own systems but rather involved patient data stored on the business associate's system.

The specific vector of the 2023 attack and whether a business associate was involved remained unclear at the time of reporting. Karakurt, like thedarkoverlord before them, operates as a data extortion group; they exfiltrate data and then attempt to extort the victim, rather than deploying ransomware to encrypt files or lock systems. It is not publicly known whether Peachtree Orthopedics paid a ransom to thedarkoverlord in 2016 to prevent the dumping of patient data, as a full public leak of the 530,000 patients' data was not observed. Similarly, the clinic's listing on Karakurt’s site indicated that, as of the report date, no agreement to pay a ransom had been reached. The history of breaches prompted an expectation that HHS would investigate the 2023 incident to determine what occurred and how the defenses were circumvented. The clinic's notice provided no final determination on the scope of the impact or the specific systems that were accessed by the unauthorized party.