Cyber Incident Victim: Sports Medicine and Rehabilitation Therapy
Date:
Sep 2017
Location:
United States of America
Summary
A Massachusetts-based physical therapy practice suffered a data breach when hackers exploited weak passwords to access an unsupported patient management system, compromising 16,428 unencrypted records containing sensitive personal, medical, and financial information. The attackers, identified as TheDarkOverlord, attempted to extort the organization with Bitcoin ransom demands, which the owner unequivocally refused while declining all communication with the threat actors. Patient data exposed included names, addresses, contact details, Social Security numbers, insurance information, and clinical notes, with the clinic initially unaware of the intrusion until notified by external parties.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On September 13, 2017, SMART Physical Therapy, operating clinics in Malden and Reading, Massachusetts, suffered a data breach involving unauthorized access to its patient records. The attackers, identified as TheDarkOverlord, exploited weak passwords to infiltrate the Patterson PTOS software used by the clinic to store patient data. This software had been discontinued by Patterson (later Performance Health) in March 2017, leaving it unsupported at the time of the breach. TheDarkOverlord exfiltrated a database containing 16,428 patient records stored in unencrypted plaintext, including sensitive personally identifiable information (PII) and protected health information (PHI) such as Social Security numbers, dates of birth, contact details, medical comments, insurance payment types, and HIPAA authorization dates. Following the intrusion, the attackers attempted to extort SMART Physical Therapy, demanding payment in Bitcoin (BTC) to prevent the release or misuse of the stolen data. Clinic owner Joanne Ponte, contacted by DataBreaches.net on September 15, unequivocally refused to engage with the hackers or consider payment, characterizing them as criminals and terminating communication.
TheDarkOverlord publicly disclosed the breach via Twitter shortly after the attack, escalating pressure on the clinic. DataBreaches.net intervened as an intermediary, contacting SMART Physical Therapy on September 15 at TheDarkOverlord’s suggestion, which revealed the clinic had no prior awareness of the compromise despite alleged extortion emails from the attackers. Over subsequent days, TheDarkOverlord provided DataBreaches.net with technical details and the full patient database, confirming the breach’s scope and the data’s unencrypted state. The compromised records included structured fields covering patient demographics, contact permissions, emergency contacts, and administrative metadata, exposing individuals to potential identity theft and fraud. SMART Physical Therapy did not issue a public statement or provide updates on its incident response efforts despite follow-up inquiries from DataBreaches.net. TheDarkOverlord did not specify their intended use for the stolen data, though the breach highlighted risks associated with outdated medical software and weak authentication practices in healthcare environments. The clinic’s reliance on discontinued, unpatched software created vulnerabilities that facilitated the intrusion, while the attackers’ operational tactics mirrored previous healthcare extortion campaigns attributed to the same group.