{
	"id": "b26ddbb3-786b-47a5-af71-77eee76b1295",
	"created_at": "2026-04-09T02:22:40.51259Z",
	"updated_at": "2026-04-10T03:25:41.262738Z",
	"deleted_at": null,
	"sha1_hash": "9da2ca873d226d7b73c2ff8b7a0926b723513ac2",
	"title": "Peachtree Orthopedics alerts patients to cyberattack; third patient data breach in seven years - DataBreaches.Net",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 148882,
	"plain_text": "Peachtree Orthopedics alerts patients to cyberattack; third patient\r\ndata breach in seven years - DataBreaches.Net\r\nPublished: 2023-05-20 · Archived: 2026-04-09 02:04:20 UTC\r\nAn Atlanta clinic alerts patients to at least its third incident involving patient data in seven years.  \r\nKarakurt threat actors recently added Peachtree Orthopedics in Atlanta (Peachtree Orthopaedic Clinic, P.A.) to\r\ntheir leak site. As often seems to be the case with Karakurt listings, the date on Karakurt’s post is somewhat\r\nconfusing, and they make inconsistent claims about how much data they stole. In the screencap below, the date\r\nMay 17 appears with “181 GB DATA” in red. In the post itself, which first appeared on or about May 12, they\r\nclaim to have 194 GB of data, none of which has been leaked.\r\nhttps://www.databreaches.net/peachtree-orthopedics-alerts-patients-of-cyberattack-third-patient-data-breach-in-seven-years/\r\nPage 1 of 4\n\nImage: DataBreaches.net\r\nFinding no notice on their website, DataBreaches emailed Peachtree Orthopedics about the Karakurt listing on\r\nMay 14 but received no reply. However, a re-check of their website today shows that they uploaded a statement\r\ndated May 12, 2023. The notice begins:\r\nOn April 20, 2023, Peachtree Orthopedics determined an unauthorized party gained access to limited\r\nsystems within our computer network. We immediately began an investigation, which included working\r\nwith third-party specialists to determine the full nature and scope of the situation. We also notified law\r\nenforcement. While our investigation is ongoing, we cannot rule out unauthorized access to certain\r\ninformation for certain individuals. The type of information potentially affected varies by individual but\r\nhttps://www.databreaches.net/peachtree-orthopedics-alerts-patients-of-cyberattack-third-patient-data-breach-in-seven-years/\r\nPage 2 of 4\n\nmay include name in combination with one or more of the following: address, date of birth, driver’s\r\nlicense number, Social Security number, medical treatment/diagnosis information, treatment cost,\r\nfinancial account information, and health insurance claims/provider information.\r\nTheir description of potentially involved data is consistent with Karakurt’s claim that the information they\r\nobtained includes “many lines with SSNs, almost 1000 of credit cards, other detailed personal information,\r\nmedical records and tons of corporate data.”\r\nBut Peachtree’s statement does not confirm that any patient data was exfiltrated. It only says they can’t rule out\r\naccess “for certain individuals.” Neither Peachtree nor Karakurt indicated how many patients had their PHI\r\nexfiltrated. And neither discloses the date of the attack. On April 20, Peachtree “determined”  unauthorized access\r\nhad occurred, but when did it begin, and when did Peachtree first discover abnormal activity on their network?\r\nPeachtree’s full notice can be read on its website. It does not offer patients any mitigation services at this point. It\r\nadvises them on how to protect themselves but doesn’t say how it will help them if their data was stolen. It reads,\r\nin part:\r\nUpon discovering this situation, we changed account passwords and implemented additional security\r\nmeasures to further protect information and reduce the risk of a similar situation occurring in the future.\r\nIf you have questions about this situation or would like to determine if your information was potentially\r\naffected, please call 888-601-3774.\r\nIn a similar incident described below, Peachtree offered patients one year of credit monitoring and identity\r\nprotection services. It would not be surprising if they do the same, or even more, in this case.\r\nPrevious Cyberattacks Involving Peachtree’s Patient Data\r\nThis is the third cyberattack affecting Peachtree’s patients in seven years that DataBreaches knows about.\r\nThe first incident was a massive hack and extortion attempt by thedarkoverlord in 2016, affecting 531,000\r\npatients. In August 2016, DataBreaches’ investigation into thedarkoverlord attacks on the medical sector revealed\r\na compromise of an Illinois business associate had been used to access several medical entities, including\r\nPeachtree Orthopedic. Peachtree eventually acknowledged the breach in October.\r\nIn its investigation into the incident, HHS’s summary stated:\r\nPeachtree Orthopaedic Clinic, the covered entity, discovered that there had been an unauthorized\r\nintrusion into its computer system. It determined that the intruder may have been able to access the\r\nprotected health information (PHI) of approximately 531,000 patients. The PHI included names,\r\naddresses, dates of birth, Social Security Numbers, and some clinical information.\r\nThe covered entity retained a third party IT security firm to perform a forensic evaluation. It ended its\r\nrelationship with the business associate that it concluded was the source of the compromise to its\r\ndatabase. The covered entity also implemented several additional technical safeguards, including: a new\r\nintrusion detection system, improved its firewall, reset all of its user passwords, upgraded its anti-virus\r\nhttps://www.databreaches.net/peachtree-orthopedics-alerts-patients-of-cyberattack-third-patient-data-breach-in-seven-years/\r\nPage 3 of 4\n\nsoftware, including additional monitoring of user activity, and implemented multi-factor authentication\r\nfor remote users.\r\nAs a result of OCR’s investigation, Peachtree Orthopaedic Clinic also completed a new risk analysis.\r\nIt provided breach notification to HHS, the affected individuals, the media, and on its website. OCR\r\nobtained assurances that the covered entity implemented the corrective actions outlined above.\r\nIn 2021, Peachtree Orthopedic suffered another breach involving patient data, and again it was due to a business\r\nassociate. HHS’s investigation into Peachtree’s January 2022 report stated:\r\nPeachtree Orthopaedic Clinic, the covered entity, reported that its business associate (BA), experienced\r\na ransomware attack that affected the electronic protected health information (ePHI) of 53,686\r\nindividuals. The ePHI involved included names, dates of service, and other treatment information. This\r\nbreach has been consolidated into an existing compliance review of the BA.\r\nThe business associate was not named. From the limited information publicly available, that attack may not have\r\nbeen a direct attack on Peachtree’s system but involved their patients’ data on the associate’s system.\r\nNow there is a third cyberattack that appears to involve patient data. It is unclear whether any business associate\r\nwas involved or the attackers gained direct access in another way. Given all the improvements made after the\r\nthedarkoverlord incident, how or where did Peachtree’s defenses fail if they did? There are numerous questions,\r\nand HHS will undoubtedly investigate what happened and how.\r\nWhat Next?\r\nLike thedarkoverlord before them, Karakurt does not lock or encrypt a victim’s files or systems. They exfiltrate\r\ndata, and then they try to extort the victim. DataBreaches does not know with certainty whether Peachtree\r\nOrthopedics paid thedarkoverlord not to dump all their patient data, but DataBreaches never saw any leak of all\r\n530,000 patients’ data. Was it leaked or sold privately, or did the attackers delete data because they got paid?\r\nDataBreaches does not know. Nor do we know whether Peachtree will pay Karakurt, but the fact that they are\r\nlisted on Karakurt’s site means that so far, there has been no agreement to pay.\r\nDataBreaches will continue to monitor for updates to this incident.\r\nSource: https://www.databreaches.net/peachtree-orthopedics-alerts-patients-of-cyberattack-third-patient-data-breach-in-seven-years/\r\nhttps://www.databreaches.net/peachtree-orthopedics-alerts-patients-of-cyberattack-third-patient-data-breach-in-seven-years/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.databreaches.net/peachtree-orthopedics-alerts-patients-of-cyberattack-third-patient-data-breach-in-seven-years/"
	],
	"report_names": [
		"peachtree-orthopedics-alerts-patients-of-cyberattack-third-patient-data-breach-in-seven-years"
	],
	"threat_actors": [
		{
			"id": "6ad410c7-e291-4327-a54b-281c23f0d4fa",
			"created_at": "2022-10-25T16:07:24.501468Z",
			"updated_at": "2026-04-10T02:00:05.013427Z",
			"deleted_at": null,
			"main_name": "Karakurt",
			"aliases": [
				"Mushy Scorpius"
			],
			"source_name": "ETDA:Karakurt",
			"tools": [
				"7-Zip",
				"Agentemis",
				"AnyDesk",
				"Cobalt Strike",
				"CobaltStrike",
				"FileZilla",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Mimikatz",
				"WinZip",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "2af9bea3-b43e-4a6d-8dc6-46dad6e3ff24",
			"created_at": "2022-10-25T16:47:55.853415Z",
			"updated_at": "2026-04-10T02:00:03.856263Z",
			"deleted_at": null,
			"main_name": "GOLD TOMAHAWK",
			"aliases": [
				"Karakurt",
				"Karakurt Lair",
				"Karakurt Team"
			],
			"source_name": "Secureworks:GOLD TOMAHAWK",
			"tools": [
				"7-Zip",
				"AnyDesk",
				"Mega",
				"QuickPacket",
				"Rclone",
				"SendGB"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "079e3d6e-24ef-42b0-b555-75c288f9efd8",
			"created_at": "2023-03-04T02:01:54.105946Z",
			"updated_at": "2026-04-10T02:00:03.359009Z",
			"deleted_at": null,
			"main_name": "Karakurt",
			"aliases": [
				"Karakurt Lair"
			],
			"source_name": "MISPGALAXY:Karakurt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "b4b8a179-799a-4ce5-a66f-f7d5688ac8b7",
			"created_at": "2023-11-08T02:00:07.148124Z",
			"updated_at": "2026-04-10T02:00:03.426798Z",
			"deleted_at": null,
			"main_name": "TheDarkOverlord",
			"aliases": [],
			"source_name": "MISPGALAXY:TheDarkOverlord",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775701360,
	"ts_updated_at": 1775791541,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9da2ca873d226d7b73c2ff8b7a0926b723513ac2.pdf",
		"text": "https://archive.orkl.eu/9da2ca873d226d7b73c2ff8b7a0926b723513ac2.txt",
		"img": "https://archive.orkl.eu/9da2ca873d226d7b73c2ff8b7a0926b723513ac2.jpg"
	}
}