Nation & World

How The Dark Overlord is costing U.S. clinics big time with ransom demands

The Dark Overlord has pirated hundreds of thousands of medical records across the United States in an ongoing hack.
The Dark Overlord has pirated hundreds of thousands of medical records across the United States in an ongoing hack. ShutterStock

A brassy, attention-seeking hacker group that calls itself The Dark Overlord is stealing massive numbers of patient records from U.S. medical and dental clinics and hawking them on the black market or spilling them onto the internet.

The group’s digital rampage hasn’t seized the kinds of headlines that have been devoted to the WannaCry ransomware that’s swept the globe in recent days. But it has had a far greater impact in the United States than the ransomware attack, inflicting heavy – even crippling – costs on small clinics across America.

While the ransomware attack affected few computers in the United States other than those of FedEx, The Dark Overlord has plundered hundreds of thousands of digital health records in the past year from coast to coast. Targets have ranged from a Manhattan cosmetic dental practice to a semi-rural Missouri medical clinic. Only last week, the group posted the patient records of clinics in Florida and California.

The hackers freeze the clinics’ records, then demand payment in bitcoin to return access. If payment is not forthcoming, the records may be released on the internet. On the underground “dark web,” crime groups pay varying rates for what is known as personally identifiable information.

Social Security numbers can fetch about 25 cents each, while credit card numbers might bring $1 to $10, said Robert Lord, chief executive of Protenus, a Baltimore firm specializing in health care cybersecurity. Complete health records can sell for hundreds of dollars each.

While credit cards can be canceled, medical records are largely immutable and provide family history, medications, billing information, medical diagnoses, sexual history and further details.

“They can be used for extremely complex types of fraud,” Lord said, like identity theft, medication and claims fraud, and abusive ad targeting.

“Then of course there is medical blackmail. If you’re a public figure and you have plastic surgery or you’re HIV positive or have a cancer diagnosis . . . you can imagine what that could mean if your records became public,” Lord said.

If a ransom demand is ignored or rejected, The Dark Overlord can be testy.

“This clinic didn’t do anything wrong except annoy us,” a Twitter account for @tdohack3r, which is used by The Dark Overlord, said after releasing 142,414 patient records May 4 from the Tampa Bay Surgery Center, a private outpatient facility. The records included home and work telephone numbers, and in some cases Social Security numbers and addresses.

“The country is under siege right now,” said Dr. Jay L. Rosen, chief executive of the facility. “It’s a horrible situation.”

No one knows where The Dark Overlord hackers operate from or how large a group it is, only that it is presumably foreign because it uses common British, not American, spellings.

Many corners of the U.S. health care sector are disastrously vulnerable to computer breaches, experts say, and cybercrime groups discovered that medical records can be valuable for fraud, blackmail and extortion.

“Unfortunately, health care’s got a major target painted on its back,” said Lord, the health care sybersecurity expert.

For some, a visit from the Dark Overlord is all but fatal.

That was the case for Cancer Services of East Central Indiana – Little Red Door, a Muncie, Indiana, nonprofit that assists impoverished cancer victims. The executive director, Aimee Fant, recalled with anger the way The Dark Overlord had shaken down her facility earlier this year.

“It was demented,” Fant said. “They were saying, ‘We’re your new best friends. We want to help you.’ ”

The hackers installed malicious code that encrypted the hard drives of the facility’s eight computers, and didn’t listen to appeals about the center’s shoestring budget and its charitable services, which include providing hospice support for the cancer-ridden and offering gasoline cards to help poor patients get to doctors’ appointments.

News of the hack came as the center’s directors were literally sitting down for a board meeting on Jan. 11, Fant said. Text messages pinged in.

“They wanted ransom. They wanted 43 bitcoin, which was about $43,000,” Fant said. “We made the decision that we were not going to pay.”

The hackers sent messages suggesting that news of the breach would generate sympathy for the center, and donations would increase beyond what the ransom would cost.

“Their argument was that people would feel sorry for us,” she said.

Little Red Door stood firm – and felt the pain.

“We took a hit. . . . They wiped us out clean. We were completely unable to function,” Fant said. “It took about two months to get back up and running.”

A website that monitors hacks in the health care arena,, tallies at least seven cases by The Dark Overlord of thefts of patient data from medical and dental clinics in the past year. They involve clinics in and around Farmington, Missouri; Anaheim, California; Tampa, Florida; and a dental clinic in New York City.

A metro Atlanta clinic, Peachtree Orthopedics, announced last Oct. 1 that 531,000 patient records had been lost to a hack. Last week, a California clinic, Orange County Gastrocare, saw 34,100 files of patient details published on the internet. Both clinics appeared to be Dark Overlord victims.

They are only a portion of the 126 breaches since May 1, 2016, listed on the Department of Health and Human Services Breach Portal, each of which affected more than 500 individuals.

How many of those breaches were caused by The Dark Overlord is anyone’s guess.

The hacking group does more than go after health clinics. Late last month, the group stole and released 10 episodes of the fifth season of the Netflix series “Orange Is the New Black” a month before its official premiere. Netflix refused to pay a ransom, so the hackers retaliated.

Like outlaws of the Old West, The Dark Overlord seems to thrive on growing fame.

“They are both technically strong and they’ve got good communication skills,” said Nick Bilogorskiy, senior director of threat operations at Cyphort Labs, a cybersecurity firm in Santa Clara, California. “The brand is notorious.”

“They use very grandiose language and like to draw attention to themselves,” he added.

Some of the group’s targets do not take kindly to the criminal computer intrusions and demands for ransom – and respond with both barrels blazing.

A dental clinic on New York’s Fifth Avenue, Aesthetic Dentistry, reportedly tweeted to the hacking group, “Go f--- yourself,” and added in ungrammatical English, “kiss Aesthetic Dentistry FAT ASS.”

The hackers posted a response on “Being the good-natured people we are, we contacted the dentistry after we had a copy of their patient records safely in our possession. After notifying them of this fact . . . they suddenly became hostile towards us and using very colourful language, foolishly declined,” said the note signed by @tdohack3r.

“As always, we are open to communication and discussion with all of our valued business partners,” the note said.

Aesthetic Dentistry did not respond to several requests for comment.

Clinics hit by the attacks face mounting bills for legal fees and expert digital forensics to look into how the attacks occurred. Sometimes they have to pay for credit monitoring services for patients whose records became public.

Then the clinics can face a crippling loss of business.

“About 50 percent of individuals affected by a data breach are going to switch away from that clinic in the wake of it. What that means is that (affected clinics can) lose the average lifetime value of that patient,” Lord said.

Rosen, the Tampa outpatient clinic executive, still reels from the attack.

“Everybody’s trying to stay ahead of the hackers,” he said, adding that he hopes authorities can prosecute the digital crime groups.

“Any normal person would like to see them brought to justice,” he said.

Tim Johnson: 202-383-6028, @timjohnson4