‘The Dark Overlord’ Places Healthcare Databases on Dark Web

Once again news reports teach us that the time to have your robust data privacy and security program in place and continually monitored was yesterday!

On June 26 it was reported on DataBreaches.net that 655,000 patient records from three different healthcare databases were up for sale on the dark net. According to reports on the DeepDotWeb, at least one of the hacked entities was using SRS EHR v.9 patient management software. DeepDotWeb also reports that the hacker communicated with them over an encrypted Jabber conversation, and included images from the largest database hack from the hacker’s internal network. The seller/hacker asked the website to add a note to the breached companies: “Next time an adversary comes to you and offers you an opportunity to cover this up and make it go away for a small fee to prevent the leak, take the offer. There is a lot more to come.”

Apparently it was shortly after that a fourth stolen database consisting of a reported 9.3 million individuals records from a health insurer went up for sale. The hacker taking credit for all refers to himself as “The Dark Overlord”. He claims to have contacted the entities to warn them about the vulnerabilities of their systems, and offered to fix or reveal the problems, for an undisclosed amount, which the healthcare organizations declined. In other words, the hacker offered the stolen data back to its owners for an extorted ransom. When the demand was not paid the hacker moved on to Plan B – sell the data on the dark web. The hacker offered the data from the four hacked healthcare organizations for prices ranging from $96,000 to $490,000 in bitcoin.

In the past week two of The Dark Overlord’s targets – Athens Orthopedic Clinic in Georgia and a Missouri group of clinics owned by Dr. Scott Van Ness – have been identified. The hacker accessed electronic medical records of both targets using the credentials of a third-party vendor. Personal information of current and former patients was breached, including names, addresses, social security numbers, dates of birth and telephone numbers, and in some cases diagnoses and partial medical history. Athens Orthopedic Clinic is advising its current and past patients to place a fraud alert on their credit reports with the major credit bureaus. This notice, however,  is alleged to have materialized only after events of last weekend, when 500 patients records from Athens Orthopedic Clinic appeared on Pastebin, with a note to their CEO to “pay the [expletive omitted] up.”

Notably, according to reports on Databreaches.net, both entities have acknowledged that the attacker likely got access by an unnamed third party contractor (presumably the EMR vendor). Databreaches.net claims however that neither entity mentioned the ransom demands or that patient data was being dumped in public and was still up for sale on the dark net. Athens Orthopedic Clinic apparently did work to get the information removed from Pastebin, but the other group’s data was still posted as of July 16.

Several lessons- or at least questions- must be in the minds of any healthcare organization as they learn of these events. First is to question of whether your own data security is protected from such attacks, or are you vulnerable as well? How safe is your EMR system? How closely do you audit and monitor the third party vendors you contract with? Second, and something I think every organization should have at least a working framework to use for analysis in the event they find themselves the recipient of a post-breach ransom demand, is, what will your response be in the event you receive such a demand?

Colorado Proposes Changes to General Licensure Rules Concerning Review and Approval of Quality Management Plans for Health Care Entities

The Health Facilities and Emergency Medical Services Division of the Colorado Department of Public Health and Environment (CDPHE) issued proposed amendments to its general licensure rules for health care entities on July 16, 2014.  The division plans to update its rules for the first time since the health facility quality management privilege, C.R.S. § 25-3-109, was enacted in 1988.  A rulemaking hearing is scheduled for Oct. 15, 2014.

The division is amending its regulations to strike language exempting certain health care entities from having a quality management plan, as the statute does not exempt any licensed health care entity from this requirement.  Thus, the proposed rule requires every health care entity licensed or certified by the CDPHE pursuant to C.R.S. § 25-1.5-103(1)(a) to establish a quality management program appropriate to the facility’s size and type that evaluates the quality of patient or resident care and safety.

In addition, the division is amending its rules regarding approval of quality management plans, stating that the current rule language is outdated and is being revised to align with the new health inspection process.  Thus, the proposed rule eliminates the requirement that facilities submit quality management plans for approval.  Instead, every health care entity that must have a quality management plan will be required to develop a quality management plan that shall be available to the CDPHE during the initial licensure survey and each re-licensure survey.  Significantly, the proposed regulations state that the plan for a health care entity’s quality management program shall be considered approved if the CDPHE does not cite any deficient practice related to it.  If the CDPHE finds that a quality management plan does not meet regulatory requirements, it will inform the facility of the specific reasons for disapproval and establish a reasonable date for resubmittal of a revised plan.

On a related note, the Colorado Supreme Court should issue a decision shortly under the former licensing rules.  In Simpson v. Cedar Springs Hospital, Inc., Colo. No. 2013 SA 124, a hospital challenged a trial court’s order to produce documents from its quality management meetings after the trial court found that a hospital had not implemented a quality manage­ment program approved by the CDPHE, such that its quality management materials were subject to the privilege created by C.R.S. § 25-3-109.  The trial court had rejected the hospital’s argument that the evidence that the CDPHE had licensed the hospital and renewed its license established that the hospital had an approved quality management program.

Health care facilities in Colorado should follow the CDPHE’s rulemaking as well as the Colorado Supreme Court’s decision in Simpson as they will provide important information about the scope and requirements of Colorado’s quality management privilege