GENEVA -- Russian hackers broke into a World Anti-Doping Agency database and posted confidential medical data online Tuesday of some United States female athletes who competed at the Rio Olympics -- including gymnast Simone Biles, tennis players Serena and Venus Williams and basketball player Elena Delle Donne.
WADA said the attack was carried out by a "Russian cyber espionage group" called "Fancy Bears," who revealed records of "therapeutic use exemptions" -- which allow athletes to use substances that are banned if there is a verified medical need.
The hackers posted medical records of Biles that showed the four-time gold medalist tested positive for methylphenidate after four tests -- Aug. 11, Aug. 14, Aug. 15 and Aug. 16. However, Biles was issued certificates that, per the International Gymnastics Federation, approved the one-daily use of the drug (15 mg) for therapeutic use for one-year periods in September 2012 and September 2013. In December 2013, Biles was again issued a one-year certificate for dexmethylphenidate that included an additional 10 mg dose per day, and that certificate for both dosages was extended for a four-year period from December 2014 to December 2018.
Biles responded on Twitter, saying that she has attention deficit hyperactivity disorder and has "taken medicine for it since I was a kid."
"Please know, I believe in clean sport, have always followed the rules, and will continue to do so as fair play is critical to sport and is very important to me," she said.
USA Gymnastics issued a statement on Twitter confirming that Biles' records were breached from the WADA database by hackers.
The Williams sisters did not test positive in Rio, according to the records posted by the hackers, but had been granted multiple certificates of approval, authorized by the International Tennis Federation, for specified periods since 2010. Serena Williams was last approved for using prednisolone for a six-day period in June 2015. In the past, Serena also had approvals for methylprednisolone, hydromorphone, oxycodone and prednisone.
Venus, meanwhile, had exceptions for triamcinolone, prednisone, formoterol and prednisolone for specified periods between 2010 and 2013.
Venus Williams, who won a silver medal in mixed doubles at the Rio Olympics last month, issued a statement via her agent in which she said she was granted TUEs "when serious medical conditions have occurred," and those exemptions were "reviewed by an anonymous, independent group of doctors, and approved for legitimate medical reasons."
Williams revealed in 2011 she had been diagnosed with Sjogren's Syndrome, an energy-sapping disease.
"I was disappointed to learn today that my private, medical data has been compromised by hackers and published without my permission,'' Williams said. "I have followed the rules established under the Tennis Anti-Doping Program in applying for, and being granted, 'therapeutic use exemption.' "
The ITF also cautioned against "unjustified conclusions'' being drawn from exemptions it approved.
"All TUEs granted under the Tennis Anti-Doping Program are for the legitimate therapeutic use of medications and are in no way indicative of doping or a breach of the anti-doping rules,'' International Tennis Federation president David Haggerty said in a statement.
According to the hackers' documents, Delle Donne, who averaged 8.6 points per game as the U.S. won the gold in women's basketball, tested positive for using an amphetamine on Aug. 20, but she, too, had a certificate of approval, authorized by FIBA, for therapeutic use that was issued for a four-year period from Aug. 7, 2014 to Aug. 7, 2018. In addition, Delle Donne had another certificate, also authorized by FIBA, permitting the usage of a banned hydrocortisone from 2014 to 2018.
"I'd like to thank the hackers for making the world aware that I legally take a prescription for a condition I've been diagnosed with, which WADA granted me an exception for," Delle Donne said in a tweet Tuesday. "Thanks guys!"
USADA CEO Travis Tygart issued a statement Tuesday condemning the hackers' "attempt to smear athletes to make it look as if they have done something wrong."
"The athletes haven't," Tygart continued. "In fact, in each of the situations, the athlete has done everything right in adhering to the global rules for obtaining permission to use a needed medication. The respective International Federations, through the proper process, granted the permission and it was recognized by the IOC and USADA.
"The cyber-bullying of innocent athletes being engaged in by these hackers is cowardly and despicable. It is time for the entire international community to stand up and condemn this cyber-attack on clean sport and athletes rights."
Three-time Tour de France winner Chris Froome said he has "no issue" with his medical data being leaked.
"I've openly discussed my TUEs with the media and have no issues with the leak which confirms my statements," Froome said Thursday in a statement.
WADA previously warned of cyberattacks after investigators it appointed published reports into Russian state-sponsored doping.
"These criminal acts are greatly compromising the effort by the global anti-doping community to re-establish trust in Russia," World Anti-Doping Agency director general Olivier Niggli said in a statement.
WADA said it "extended its investigation with the relevant law enforcement authorities."
Last month, hackers obtained a database password for Russian runner Yuliya Stepanova, a whistleblower and key witness for the WADA investigations. She and her husband, a former official with the Russian national anti-doping agency, are now living at an undisclosed location in North America.
A spokesman for Russian state President Vladimir Putin rejected WADA's statement blaming Russian hackers as unfounded.
"There can be no talk about any official or government involvement, any involvement of Russian agencies in those actions. It's absolutely out of the question," spokesman Dmitry Peskov said in a statement carried by Russian news agencies. "Such unfounded accusations don't befit any organization, if they aren't backed by substance."
The International Olympic Committee said it "strongly condemns such methods which clearly aim at tarnishing the reputation of clean athletes."
"The IOC can confirm however that the athletes mentioned did not violate any anti-doping rules during the Olympic Games Rio 2016," the Olympic body said.
Those behind the breach have adopted the name Fancy Bears, an apparently tongue-in-cheek reference to a collection of hackers which many security researchers have long associated with Russia.
In a statement posted to its website early Tuesday, the group proclaimed its allegiance to Anonymous, the loose-knit movement of online mischief-makers, and said it hacked WADA to show the world "how Olympic medals are won."
"We will start with the U.S. team which has disgraced its name by tainted victories," the group said, adding that more revelations about other teams were forthcoming.
Internet records suggest Fancy Bears' data dump has been in the works for at least two weeks; their website was registered on Sept. 1 and their Twitter account was created Sept. 6.
The Associated Press contributed to this report.
