How the Dark Overlord Is Costing U.S. Clinics Big Time With Ransom Demands

WASHINGTON (McClatchy Washington Bureau/TNS) -
hospital, cyber, cyberattack, hack, ransomware

A brassy, attention-seeking hacker group that calls itself The Dark Overlord is stealing massive numbers of patient records from U.S. medical and dental clinics and hawking them on the black market or spilling them onto the internet.

The group’s digital rampage hasn’t seized the kinds of headlines that have been devoted to the WannaCry ransomware that’s swept the globe in recent days. But it has had a far greater impact in the United States than the ransomware attack, inflicting heavy — even crippling — costs on small clinics across America.

While the ransomware attack affected few computers in the United States other than those of FedEx, The Dark Overlord has plundered hundreds of thousands of digital health records in the past year from coast to coast. Targets have ranged from a Manhattan cosmetic dental practice to a semi-rural Missouri medical clinic. Only last week, the group posted the patient records of clinics in Florida and California.

The hackers freeze the clinics’ records, then demand payment in bitcoin to return access. If payment is not forthcoming, the records may be released on the internet. On the underground “dark web,” crime groups pay varying rates for what is known as personally identifiable information.

Social Security numbers can fetch about 25 cents each, while credit card numbers might bring $1 to $10, said Robert Lord, chief executive of Protenus, a Baltimore firm specializing in health care cybersecurity. Complete health records can sell for hundreds of dollars each.

While credit cards can be canceled, medical records are largely immutable and provide family history, medications, billing information, medical diagnoses and further details.

“They can be used for extremely complex types of fraud,” Lord said, like identity theft, medication and claims fraud, and abusive ad targeting.

“Then of course there is medical blackmail. If you’re a public figure and you have plastic surgery or have a cancer diagnosis … you can imagine what that could mean if your records became public,” Lord said.

If a ransom demand is ignored or rejected, The Dark Overlord can be testy.

“This clinic didn’t do anything wrong except annoy us,” a Twitter account for @tdohack3r, which is used by The Dark Overlord, said after releasing 142,414 patient records May 4 from the Tampa Bay Surgery Center, a private outpatient facility. The records included home and work telephone numbers, and in some cases, Social Security numbers and addresses.

“The country is under siege right now,” said Dr. Jay L. Rosen, chief executive of the facility. “It’s a horrible situation.”

No one knows where The Dark Overlord hackers operate from or how large a group it is, only that it is presumably foreign because it uses common British, not American, spellings.

Many corners of the U.S. health care sector are disastrously vulnerable to computer breaches, experts say, and cybercrime groups discovered that medical records can be valuable for fraud, blackmail and extortion.

“Unfortunately, health care’s got a major target painted on its back,” said Lord, the health care cybersecurity expert.

For some, a visit from The Dark Overlord is all but fatal.

That was the case for Cancer Services of East Central Indiana — Little Red Door, a Muncie, Ind. nonprofit that assists impoverished cancer victims. The executive director, Aimee Fant, recalled with anger the way The Dark Overlord had shaken down her facility earlier this year.

“It was demented,” Fant said. “They were saying, ‘We’re your new best friends. We want to help you.’”

The hackers installed malicious code that encrypted the hard drives of the facility’s eight computers, and didn’t listen to appeals about the center’s shoestring budget and its charitable services, which include providing hospice support for the cancer-ridden and offering gasoline cards to help poor patients get to doctors’ appointments.

News of the hack came as the center’s directors were literally sitting down for a board meeting on Jan. 11, Fant said. Text messages pinged in.

“They wanted ransom. They wanted 43 bitcoin, which was about $43,000,” Fant said. “We made the decision that we were not going to pay.”

The hackers sent messages suggesting that news of the breach would generate sympathy for the center, and donations would increase beyond what the ransom would cost.

“Their argument was that people would feel sorry for us,” she said.

Little Red Door stood firm — and felt the pain.

“We took a hit. … They wiped us out clean. We were completely unable to function,” Fant said. “It took about two months to get back up and running.”

A website that monitors hacks in the health care arena, tallies at least seven cases by The Dark Overlord of thefts of patient data from medical and dental clinics in the past year. They involve clinics in and around Farmington, Mo.; Anaheim, Calif.; Tampa, Fla.; and a dental clinic in New York City.

A metro Atlanta clinic, Peachtree Orthopedics, announced last Oct. 1 that 531,000 patient records had been lost to a hack. Last week, a California clinic, Orange County Gastrocare, saw 34,100 files of patient details published on the internet. Both clinics appeared to be Dark Overlord victims.

They are only a portion of the 126 breaches since May 1, 2016, listed on the Department of Health and Human Services Breach Portal, each of which affected more than 500 individuals.

How many of those breaches were caused by The Dark Overlord is anyone’s guess.