Little Red Door Hacked by The Dark Overlord

By Greg Wright

MBA, CFE, CFP®, CLU, ChFC

Certified Fraud Examiner

Certified Financial Planner™

The Little Red Door Cancer Services of East Central Indiana was recently hacked by The Dark Overlord, a cyber criminal group, and faced a $43,000 ransom demand.

Increasingly, medically related and non-profit groups experience ransomware demands.  These organizations possess individual's medical and personal information, and typically have weak IT security.  

Sometimes data is encrypted by the cyber thief, and the ransom demand is to provide the decryption key to unlocking the data.  This is what happened in Madison County who paid the ransom.  In other cases; it is a blackmail demand to avoid the public embarrassment of having sensitive information published on the internet.   

The Dark Overload group, named after a comic book character, has been successful in multiple ransomware cases and have netted over $500 million last year alone, according to security sources.

These data breaches are more serious than previous credit card breaches because they affect not only Personal Identifiable Information (PII) but also include Medical Information covered by HIPAA.  PII has a value on the “dark net” of about $50 per individual and HIPAA information is valued at over twice that amount or about $100 per individual.  

Thus, an organization -- say a dental or physician office that has maybe 3,000 current and past client records -- could provide a cyber thief with $300,000 in revenue from the dark net sale of both the PII and medical information.  The ransomware demand is often only a minor revenue stream these fraudsters.  Many cyber criminals enjoy taunting its victims.

From the consumer’s standpoint, the theft of PII or credit card information is inconvenient to most victims and can take a long time to correct. About one in three Americans will be victims of that kind of theft this year.  The inconvenient for many is worst than the financial impact, and it can often be repaired without requiring professional help.  The loss of your medical identity can be worse, more difficult to correct, and sometimes life threatening to the victim.

From the medical provider’s standpoint, a data breach can be catastrophic. 

In some parts of the U.S., legal boutiques are springing up that focus on class-action data breach events that involve both PII and HIPAA.  If a medical-related organization experiences a data breach and it had not previously conducted a cyber security assessment or financial risk assessment, had insufficient safeguards, and have an ineffective (or non-existent) HIPAA supervisor, these issues could eventually result in liability costs that force the sale of the medical practice. 

In the case of the Little Red Door, there was no reported encryption of data; but, the demand was that the data would be released on the internet.  The LRD has reported that they refused to pay the demand.

Unfortunately, the staff’s Social Security numbers and other LRD information is already on the dark web. A spokesperson for The Dark Overlord, who forwarded an email to the media from within the Little Red Door’s internal email account, disputed that the data had yet to be published.  Obviously, The Dark Overlord is not finished with the Little Red Door. TDO claims that they acquired much personal information, including diagnoses of clients.

Few non-profits and smaller medical-related businesses have adequate safeguards to prevent the loss of sensitive client information.

Ransomware + Medical Identity Theft = Disaster

By Greg Wright

MBA, CFE, CFP®, CLU, ChFC

Certified Fraud Examiner

Certified Financial Planner™

Sometimes two bad things link, accelerate and produce an even larger tragedy. That’s what happening today when “ransomware” meets “medical identity theft.”   

Smaller personal service business offices are notoriously lacking in cyber security.  This includes smaller offices of physicians, optometrists, chiropractors, and dentists.  Cybercriminals are increasingly attacking these small businesses, encrypting their files and hold them for ransom.

Last year, the American Dental Association warned dentists about ransomware.

Many businesses cannot operate without access to its customer files. Moreover, once they become a ransomware victim, like Madison County Indiana recently, they will pay a ransom to the cyber criminal.  If the victim is a medical office, the data thief also gets to copy and sell the medical practice patient’s medical records too.  Ouch.

What could a cybercriminal do with your Social Security number, credit card info, insurance policy information, your address, and medical history?  Similar information is sold every day on the dark net.  Medical identity theft is one of the fastest growing cyber crimes.  Ransomware crimes are growing even faster and reaching down into profitable small businesses.

Medical businesses are a favorite.  Last year, for example, Hollywood Presbyterian Medical Center revealed it paid ransom to hackers who held the hospital's computer system hostage by encrypting its patient records.  I’ll bet that the hospital’s patient's medical information was also copied and sold. 

Ransomware is exactly what it sounds like -- malicious software used by cyber criminals to block access by a business owner to a computer system until a ransom is paid. It has become much more common in recent years. The number of ransomware attacks increased almost five times – 500% -- in 2016 compared with the prior year.

This particular type of cyber crime was first recorded in1989. The attack is relatively easy to deploy and profit.  It doesn’t take special skills and the software or malware is easily obtainable on the dark net.  The victim’s employees need only click on the wrong “innocent” appearing link to infect and compromise its computer system.

In the past, ransomware cyber-criminals targeted consumers connecting to porn sites and typically ask for modest amounts to release the victim’s personal computer files. The ransom is typically paid in Bitcoin.

The increased use of Bitcoin and other similar currencies has made this type of crime increasingly possible – it is easy to deploy, receive payments safely and transfer money anonymously. This has had a dramatic impact on the number and type of cybercrime opportunities. Bitcoin is the current engine of cybercrime, and it will continue to enable and expand cyber criminal activity.

Your stolen medical records can allow someone to see a doctor, get prescription drugs, file claims with your insurance provider, have surgery, etc.  The thief’s health information then is mixed with yours, your treatment history, blood type, allergies, and payment (or non-payment) records. This data mix can be physically dangerous to you, cause your insurance premiums to increase and result in you being denied certain insurance coverages.  It is very difficult to correct.

Stolen medical records can more troublesome than other type identity theft. 

Read your Explanation of Benefits (EOB) statement or Medicare Summary that your health plan sends after treatment. Check the name of the provider, the date of service, and the service provided. Do the claims that were paid match the care you received? If you see a mistake, contact your health plan and report the problem ASAP.

Signs of medical identity theft include bills for service you did not receive and calls from debt collector about medical debt you don’t owe. Since Federal law gives you the right to know what’s in your medical files, the thief may have impersonated you and received your complete records from other providers.  This could wreck your medical care for life.

If you think that something is amiss, ask each of your health plans and medical providers for a copy of the “accounting of disclosures” for your medical records. The “accounting” is a record of who got copies of your records from the provider. The law allows you to order one free copy of the accounting from each of your medical providers every 12 months. 

Smaller medical service providers are frequently victims of combined ransomware and medical records theft.  If they are a ransomware victim, they probably have had client medical records compromised as well.  This likely qualifies under Indiana law as a “breach.”   It must be reported to the Indiana Attorney General.  Also, it probably is subject to HIPAA, OCR and HHS regulations  The medical or business professional organizational victim needs to report the information promptly.  Failure to do so can result in more fines and hassle than a multi-year full IRS audit. 

Small profitable businesses are particularly vulnerable to Ransomware and breach attacks.  The cost from “Ransomware” may be small compared to those associated with “breach,” HIPAA and other regulator’s fines.  Plus the negative publicity and client issues.  Ask yourself if you would consider a medical professional that did not actively prevent someone’s medical information from being compromised and sold on the dark net. 

Smaller businesses, particularly medical service providers, needs to have adequate cyber defense insurance from a company that has the staff experts that can apply corrective actions and guides the victims through the regulatory process.