Sports Medicine and Rehabilitation Therapy Data Breach (2017)

SMART (“Sports Medicine and Rehabilitation Therapy”) Physical Therapy has two locations in Massachusetts: one in Malden and one in Reading. But it doesn’t matter which one patients may have been treated at, as data from all of their patients was recently hacked by TheDarkOverlord. And not surprisingly, the attackers tried to extort the clinic. Based on information provided to this site by TheDarkOverlord and by the owner of SMART PT, it appears that the hackers were able to access the patient data stored in Patterson PTOS software because of weak passwords. Patterson (now known as Performance Health) had totally discontinued the PTOS software product line in March, 2017, so it was an unsupported product at the time of the hack on September 13. Over the next few days, TheDarkOverlord provided this site with some additional details, but also the patient database. It contained 16,428 patient records, all with unencrypted text. The headers/fields were as follows: PatientId,”LastName”,”FirstName”,”Address1″,”Address2″,”City”,”State”,”Zip”,”Sex”, “ResPhone”,”OffPhone”,”CellPhone”,”Email”,”Dob”,”PayType”,”Ssn”,”Status”, “Comments”,”EntryUser”,”EntryDate”,”EditUser”,”EditDate”,”Password”,”BGroup”, “FacilityID”,”UDF”,”Occupation”,”Emgname”,”EmgPhone”,”Emgrelation”,”Title”, “MaritalStatus”,”initial”,”nickname”,”HIPAA_AuthDate”,”Privacy_NotificationDate”, “OKToContact_ResPhone”,”OKToContact_OffPhone”,”OKToContact_CellPhone”, “SchedulingPreferences”,”ClusteredIndexId”