GENEVA—Confidential medical data of gold medal-winning gymnast Simone Biles, seven-time Grand Slam champion Venus Williams and other female U.S. Olympians was hacked from a World Anti-Doping Agency database and posted online Tuesday.
WADA said the hackers were a “Russian cyber espionage group” called Fancy Bears.
They revealed records of “Therapeutic Use Exemptions” (TUEs), which allow athletes to use otherwise-banned substances because of a verified medical need.
Williams, who won a silver medal in mixed doubles at the Rio Olympics last month, issued a statement via her agent in which she said she was granted TUEs “when serious medical conditions have occurred,” and those exemptions were “reviewed by an anonymous, independent group of doctors, and approved for legitimate medical reasons.”
Williams revealed in 2011 she had been diagnosed with Sjogren’s syndrome, an energy-sapping disease.
“I was disappointed to learn today that my private, medical data has been compromised by hackers and published without my permission,” Williams said. “I have followed the rules established under the Tennis Anti-Doping Program in applying for, and being granted, ‘therapeutic use exemption.'”
Another athlete named was women’s basketball gold medalist Elena Delle Donne, who had thumb surgery on Tuesday and posted a post-op pic on Twitter, along with a statement saying she takes prescribed medication approved by WADA.
In a statement, USA Gymnastics said Biles—who won five medals, four gold, in Rio last month—was approved for an exemption and had not broken any rules.
She wrote on Twitter that she’s taken medication to treat ADHD since she was a child.
“Please know I believe in clean sport, have always followed the rules, and will continue to do so as fair play is critical to sport and is very important to me,” Biles posted.
WADA previously warned of cyberattacks after investigators it had appointed published reports into Russian state-sponsored doping.
“These criminal acts are greatly compromising the effort by the global anti-doping community to re-establish trust in Russia,” World Anti-Doping Agency director general Olivier Niggli said in a statement.
WADA said it “extended its investigation with the relevant law enforcement authorities.”
Last month, hackers obtained a database password for Russian runner Yuliya Stepanova, a whistleblower and key witness for the WADA investigations. She and her husband, a former official with the Russian national anti-doping agency, are now living at an undisclosed location in North America.
A spokesman for Russian President Vladimir Putin rejected WADA’s statement blaming Russian hackers as unfounded.
“There can be no talk about any official or government involvement, any involvement of Russian agencies in those actions. It’s absolutely out of the question,” spokesman Dmitry Peskov said in a statement carried by Russian news agencies. “Such unfounded accusations don’t befit any organization, if they aren’t backed by substance.”
The International Olympic Committee said it “strongly condemns such methods which clearly aim at tarnishing the reputation of clean athletes.”
“The IOC can confirm however that the athletes mentioned did not violate any anti-doping rules during the Olympic Games Rio 2016,” the Olympic body said.
The top American anti-doping official said it was “unthinkable” to try to smear athletes who followed the rules and did nothing wrong.
“The cyberbullying of innocent athletes being engaged in by these hackers is cowardly and despicable,” said Travis Tygart, CEO of the U.S. Anti-Doping Agency.
The name “Fancy Bears” appears to be a tongue-in-cheek reference to a collection of hackers that many security researchers have long associated with Russia.
In a statement posted to its website early Tuesday, the group proclaimed its allegiance to Anonymous, the loose-knit movement of online mischief-makers, and said it hacked WADA to show the world “how Olympic medals are won.”
“We will start with the U.S. team which has disgraced its name by tainted victories,” the group said, adding that more revelations about other teams were forthcoming.
Internet records suggest Fancy Bears’ data dump has been in the works for at least two weeks; their website was registered on Sept. 1 and their Twitter account was created on Sept. 6.
Messages left with the group were not immediately returned. A French name and phone number associated with the site both appeared to be bogus. A mailing address listed by the hackers appeared to point to a florist east of Paris; messages left with the business were not immediately returned.