Cybercrime , Fraud Management & Cybercrime , Healthcare
Nothing to Smile About: Hacks on Dental Practices Swell
Over 1.2 Million Patients' Sensitive Data Exposed So Far This YearSome dentists don't have much to smile about these days when it comes to cyberattacks. More than 1.2 million of their patients have had their sensitive data compromised so far in 2024, including several incidents reported to regulators in the past month.
See Also: The Healthcare CISO’s Guide to Medical IoT Security
As of Wednesday, dental practices in 2024 have reported at least two dozen major data breaches to the U.S. Department of Health and Human Services' Office for Civil Rights, which posted the incidents to its HIPAA Breach Reporting Tool website.
The biggest hack reported to the HHS OCR so far this year hit Arizona-based Risas Dental & Braces, which on March 28 reported a hacking incident involving a network server and affecting 618,189 individuals.
The investigation into that incident - first detected in July 2023 - determined that files stored on Risas' information systems may have been extracted without authorization.
Data affected includes patients' name, contact information, treatment information - such as procedure names or notes, the initial date or dates of service, and insurance subscriber information. The information did not contain patients' Social Security numbers, detailed treatment information or treatment records, Risas said.
Another large breach reported in recent weeks to HHS OCR involved three Minnesota-based specialty dental practices related to an email hacking at parent company Park Dental. Collectively, the hacks affected about 279,000 patients.
PDG, P.A, which does business as Park Dental, reported its hack affected 238,667 individuals; The Dental Specialists reported nearly 39,000 people affected; and Facial Pain Center reported that 1,894 individuals were affected in its breach.
For at least two days earlier in the week, the Facial Pain Center breach was listed on the HHS OCR website as affecting nearly 239,000 individuals. But a spokeswoman for the pain center told Information Security Media Group that was an error by HHS OCR. The agency corrected the posting late on Tuesday.
Each of their breach notices says that on Jan. 23, the organization became aware of unauthorized activity for a limited number of employee email accounts. "In response, we immediately took steps to secure the email accounts. With the assistance of third-party cybersecurity specialists, we then launched an investigation into the nature and scope of the event."
The investigations determined that an unauthorized actor potentially viewed or accessed information stored in email accounts of a limited number of employee email accounts between Jan. 11 and Jan. 23.
Each practice said its incident "was limited to our Microsoft 365 cloud environment and did not involve a compromise of its internal computer network or patient records database."
Other Hacks
New Jersey Oral & Maxillofacial Surgery also reported a major health data breach in the last six weeks.
On July 12, the specialty dental practice reported to HHS OCR a hacking incident involving a network server that affected more than 74,000 patients - one of the largest breaches reported to the agency by a dental practice in the last few months.
New Jersey Oral & Maxillofacial Surgery in its breach notice said the incident - which was detected in May - resulted in the unauthorized access and acquisition of certain files on the practice's computer systems.
Information contained on those affected files includes patients' full name, home address, birthdate, other demographic and contact information, Social Security number, driver's license and state ID numbers, financial and account information, insurance information, and diagnosis and treatment information.
The practice said it offered free credit and identity monitoring to affected individuals and is implementing "additional safeguards" to help prevent similar incidents in the future.
Root Causes
Why have so many dental practices been hit? Dental offices are vulnerable to hacks - including ransomware, phishing, data thefts and other incidents - for many of the same reasons that put smaller or specialty organizations in the healthcare sector at risk, experts said.
"Dental practices typically don't have robust security controls," said Kate Borten, president of privacy and security consulting firm The Marblehead Group. "They rely on third parties for much of their technology, including security - sometimes with low budgets and limited oversight," she said.
Staff in small practices often do not receive extensive security and privacy training compared with larger entities, such as many hospitals, Borten said. "Security is unlikely to be anywhere near the top of mind in day-to-day operations, leading to phishing vulnerabilities in email and password management," and other weaknesses.
Many incidents involving dental practices - such as the ones reported by Park Dental, The Dental Specialists and the Facial Pain Center in Minnesota - suggest that one of the most prevalent initial access vectors is compromise of an email account, said Mike Hamilton, founder and CISO of security firm Critical Insight.
"This would indicate phishing in the absence of multifactor authentication, reuse of credentials that were made public in a separate incident, or password guessing on a public-facing service such as a remote access product," he said.
Hamilton said many dentists resist additional controls such as multifactor authentication, which they see as impediments to patient care.
"These conditions create the opportunity for vulnerability exploit of internet-facing technologies, credential misuse through stuffing and brute-forcing, and using the managed services provider as the 'unlocked window’' to reach the intended targets," he said.
To bolster security practices, dental practices should implement the cybersecurity performance goals that HHS released earlier this year, Hamilton said, adding that the goals are based on best practices supported by CISA, the National Institute of Standards and Technologies and various industry groups (see: HHS Details New Cyber Performance Goals for Health Sector).
"The CPGs are the most basic controls that are effective at raising the degree of effort needed by the attacker to gain access," he said. "Further, implementing the CPGs, depending on the state in which the practice is located, can be a safe harbor for regulatory action and may help to avoid additional civil penalties such as class action suits."