A hacker or group of hackers with possible links to an ultra-nationalist, right-wing Ukrainian political faction posted to Twitter and to a Google cloud-based storage area more than a half-million documents, including patient information, from an Ohio healthcare provider.
A Twitter account for a user going by the name Pravyy Sector, with the handle @pravsector, contained a screen shot of a copy of a spreadsheet page with two dozen patients' names, addresses, phone numbers, dates of birth, their insurance carriers and insurance ID numbers, and for some, abbreviated diagnoses such as “prostate” or “sex drive.”
The tweet containing the spreadsheet also referenced “156GB files,” a link to the Google drives, and a link to the webpage of Central Ohio Urology Group. The group, based in Gahanna, a Columbus suburb, operates at 24 locations in and around Columbus, according to its website.
Calls to the group about the breach are being directed to a recorded message saying the practice is “investigating possible criminal activity on our database with law enforcement agencies."
"If we find that our data system truly has been breached, we will contact affected individuals directly with more information,” the message said. “We have taken additional steps to further protect our patient data.”
Pravyy Sektor, or the Right Sector, has been described by the BBC as “the most radical wing of Ukraine's protest movement,” which toppled then-President Viktor Yanukovych's government in February 2014. Yanukovych was seen as ally of Russian President Vladimir Putin.
The Twitter account where the hack was announced was created in July. It has 456 followers and has posted 55 tweets. Postings suggest its creators have an eye for fashion and an interest in soccer.
The operator of a cybersecurity website, DataBreaches.net, reports having exchanged messages with someone at @pravsector and was told that the hack was a warning “for political purposes,” although the respondent acknowledged the Ohio medical group had nothing to do with the issues being raised
Lee Johnstone, an information security data analyst writing at the website Cyber War News, reportedly searched the Google storage drives linked in the Pravyy Sector tweet and found more than 520,000 various files, including spreadsheets, text and PDF documents, software and “NextGen patient records,” a likely reference to a popular electronic health record system by NextGen Healthcare Information Systems.
Johnstone wrote he also found a “ransomware lock page” among the documents, which implies the group had been targeted in a previously undisclosed ransomware attack, he said. The page suggests that a version of the CryptXXX cryptolocker software was used, Johnstone said. The software virus renders a victim's data unusable until a decryption key is purchased from the hackers.
Ransomware attacks in which a hacker removes or encrypts an organization's data and holds it hostage until a ransom payment is made—typically using the hard-to-trace cybercurrency, bitcoin—made headlines for the healthcare industry in March. That's when Hollywood Presbyterian Medical Center in Los Angeles paid roughly $17,000 worth of bitcoins to hackers who disabled its computer network.