All right, mates, gather round. It’s time for a tale about a real cyber snafu. So, this one starts back on March 25, when Teton Orthopaedics, a US-based company, landed on the radar of DataBreaches.net. Not from any official report mind you, but because of a boastful claim by a ransomware group known as DragonForce.
Now, DragonForce, being utterly chuffed with themselves, alleged they had ‘borrowed’ a whopping 19.48GB of Teton files and put a lock on the lot. In the mix were all sorts from patient records to billing and insurance stuff. Now, this leak wasn’t small potatoes, mind – it gave away patient info, medical histories, diagnoses and treatments, you name it. Bit of a cock-up, wouldn’t you agree?
But, for some unknown reason, there’s no whispers of it anywhere, not on the HHS’s breach tool (Healthcare and Public Health Sector’s breach-notification tool on the other side of the pond), or on Teton’s own website. Dead quiet they were – almost as if nothing happened at all.
Fast forward to the twilight days of 2024, and finally Teton made a peep. They tell our friends over in Massachusetts about a ransomware bout, and then let slip to Maine about the real scope of the disaster – a staggering 13,409 people chucked into this cyber kerfuffle!
Yet, isn’t it odd there was no nudge to HHS within 60 days about the breach, as per protocol, especially since Teton apparently caught whiff of the breach on March 25, the same day Dragon Force announced their exploit? You’d think with this level of synchronisation, they’d be on it quicker than a fox chasing a chicken, but nope, it took them all the way until May 23. Then silence – nothing new on the HHS public breach tool.
Oh, and what about the actual victims – the patients, left in the dark like tinned sardines waiting for the metaphorical Battenberg cake that never came, despite DataBreaches reaching out?
Now, rumor has it (or rather, word from DragonForce themselves) that they and Teton had a little tête-à-tête come March 27, negotiating over the bill – you know, your typical honest ransomware chat. Sounds like Teton were as strapped as they could be, and couldn’t commit more than $50,000 at the time. Just a few weeks later, they pipe up saying they’re trying to figure it out. But then… nada. No comebacks, no “we’ve sorted it, lads,” nothing. Radio silence.
Watch yourselves though, because not just patient data got bungled up in this fiasco – employee data took a hit too. We’re talking names, addresses, birthdates, various IDs, even payment card info. “Blimey!” is what you’re thinking, right?
While Teton insists it’s fortified its security after the fact, they’ve been shy on offering things like credit monitoring or identity protection services. And, they’ve not even had the decency to tell their patients the truth – that their personal and health info is freely available on the dark web for any Tom, Dick or Harry to download. Now, that’s an earful and a half, isn’t it?
But you know what they say – what you don’t know won’t hurt you… or will it?
by Parker Bytes
