Cyber Incident Victim: Hand Rehabilitation Specialists
Date:
Jul 2017
Location:
United States of America
Summary
Hand Rehabilitation Specialists experienced a potential network security incident involving unauthorized access claims by the threat actor TheDarkOverlord, who allegedly exfiltrated patient data and issued extortion demands. The organization initiated a forensic investigation with law enforcement, which found no evidence of data exfiltration but could not rule out unauthorized access. Exposed information potentially included patient names, dates of birth, Social Security numbers, addresses, medical diagnoses, treatment details, insurance data, and payment records. Verification challenges arose as only two of ten sample patient records provided by the actor were confirmed as legitimate by the practice and its third-party vendor, who maintained no breach occurred in their systems. The entity proactively notified potentially affected individuals and enhanced security protocols despite unresolved discrepancies in the threat actor's claims.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 3 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around July 5, 2017, Hand Rehabilitation Specialists, a rehabilitation practice with offices in Thousand Oaks and Simi Valley, California, was informed of a potential security breach involving unauthorized access to patient data. The notification originated from a cybersecurity blogger who had received samples of patient records from the threat actor group TheDarkOverlord (TDO). TDO claimed to have compromised the practice’s network and provided the blogger with 10 patient records containing last names, first names, genders, dates of birth, Social Security numbers, postal addresses with zip codes, and telephone numbers. TDO asserted they possessed additional records with more extensive data types, including medical and billing information, and indicated they had attempted extortion by demanding payment to prevent public release of the data. The practice immediately reported the incident to the Ventura County Sheriff’s Office, which initiated a forensic IT investigation in consultation with the FBI.
Law enforcement’s investigation found no evidence confirming data exfiltration from the practice’s systems, though unauthorized access could not be definitively ruled out. On September 1, 2017, Hand Rehabilitation Specialists issued breach notifications through the Vermont Attorney General’s Office, disclosing that compromised information might have included names, dates of birth, addresses, phone numbers, Social Security numbers, dates of service, diagnoses, CPT billing codes, treatment costs, co-pay amounts paid by check, medical insurance details (including group numbers and contact information), check numbers, and practice contact information. The practice did not specify the number of affected individuals in its notification. As a precautionary measure, it offered protective services to potentially impacted patients and initiated a review of its security policies and procedures. Third-party vendors involved in maintaining the practice’s database denied any evidence of a breach, and only two of the 10 patient records provided by TDO were confirmed as legitimate patients by the practice. TDO maintained they had sent an extortion demand to the practice’s email address but provided no proof of receipt or acknowledgment. The incident had not been listed on the HHS public breach tool as of the article’s publication date, and no public data dump or sale linked to the incident was verified.