Hacker Accuses Michigan Ophthalmologists of Hiding His Attack for 2 Years

Ryan Black
JUNE 02, 2018


Late last month, a hacking incident against Michigan’s Holland Eye Surgery and Laser Center appeared on the Department of Health and Human Services’ Office for Civil Rights (OCR) data breach reporting portal. Healthcare Analytics News™ made a pair of attempts to contact the affected organization for further details, but did not receive a response—which isn't uncommon. Cybersecurity incidents are sensitive subjects for most organizations.

But according to a new report from databreaches.net, which has covered privacy infringements in the healthcare sphere for nearly a decade now, Holland Eye might have a host of reasons to remain mum. And if the reporting is accurate, the provider could face federal scrutiny.

>>>READ: Another Banner Month for OCR-Reported Data Breaches (In a Bad Way)

The actor claiming responsibility for the breach—who refers to himself as Lifelock—has had previous contact with the data security watchdog, and he recently provided details about the Holland Eye situation that directly contradict the ophthalmology provider’s own statements and OCR report.

The saga begins in June 2016, when Lifelock hacked the ophthalmology practice’s systems and acquired tens of thousands of patient records. He then claims to have demanded a $10,000 “security fee” from the physicians to secure their data, but was met with silence. He says he reached out to the clinic over 30 times in the past 2 years while slowly selling some of the stolen patient data on the dark web—those of about 200 people. It’s somewhat common practice for a hacker to access protected records and then extort the compromised entity by slowly selling off the stolen information (the Dark Overlord hacker group is known to do that). 

Holland Eye issued a media notice in local Michigan newspaper Holland Sentinel on May 18th, though the notice doesn’t appear to have made it to that publication’s website. “Holland Eye believes that the unauthorized individual accessed the list in June 2016,” but it claims to have been unaware until March 2018, contrary to Lifelock’s assertion of early and repeated extortion attempts. The date Holland Eye says it first became aware of the hack was 60 days before it issued the warning and reported it to OCR. Under the law, entities have exactly 60 days following detection of a data breach to notify OCR if they want to avoid penalties.

Lifelock—who used his alternate correspondence name “Todd Davis” when contacting both Holland Eye and databreaches.net—said in a profane statement that his goal now was to notify patients and shame the clinic. In his effort to expose Holland Eye he claimed to have even eventually contacted the Mayor of Holland, Michigan, Nancy De Boer (and to have opened lines of credit in her name as a threat). Those efforts produced no public acknowledgement, and he finally contacted databreaches.net the same month that Holland Eye claims it became aware of the situation.

There’s another difference between Holland Eye’s accounts to OCR and the media and the hacker’s information. Lifelock reportedly showed databreaches.net 2 date-stamped .csv files of what he had obtained from the network: One contained 42,209 records. The other contained an additional 202,163 records.

The OCR portal shows only 42,200 patients were reported to have been affected.

If there’s truth to the hacker’s claims, and if the files he provided are authentic, it could spell major trouble for Holland Eye. They could draw a thorough investigation from OCR (if one wasn’t already underway) and the agency is known to slap hefty fines on healthcare organizations that fail to follow federal rules for protecting patient data. Irresponsible data management cost provider groups 21st Century Oncology and Fresenius Medical Care $2.3 million and $3.5 million, respectively, in 2 of the more recent OCR cases.

The first-ever fine levied for a failure to report an incident within 60 days was assessed in January 2017. Presence Health in Illinois missed the reporting deadline by 40 days and agreed to pay $475,000 for the violation.

“Covered entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements” former OCR Director Jocelyn Samuels said at the time. “Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.”

Related Coverage:
Podcast: A New Kind of Warfare
Defending Your Data From the Dark Overlord
Hackers Continue to Turn SamSam Loose on Healthcare

SHARE THIS SHARE THIS
111
Become a contributor