Vendor to Dental Practices Hacked; 1 Million AffectedInformation Exposed Includes Payment Card Numbers
A Florida-based company that provides support services to hundreds of dental practices in 20 states says it's been hacked, exposing information - including payment card numbers - on more than 1 million patients.
See Also: Dynamic Detection for Dynamic Threats
If details are confirmed by federal regulators, the incident would be one of the largest health data breaches reported so far this year.
On Oct. 11, Sarasota, Florida-based Dental Care Alliance discovered the hacking incident, according to a breach notification report submitted recently to Maine's attorney general's office.
The company's breach notification indicates information "acquired" by hackers in the incident includes "individuals' name or other personal identifier in combination with financial account number, or credit/debit card number in combination with security code, access code, password or PIN for the account."
The company describes itself on its website as "one of country's largest and oldest dental support organizations," supporting more than 320 affiliated practices in 20 states. Among the services it provides are billing, accounting, payroll, volume purchasing, operations management and IT.
An additional notification document that DCA submitted to Maine's attorney general notes the company's investigation into the incident is ongoing.
"Dental Care Alliance LLC and its subsidiaries and affiliates is continuing to review the data potentially at risk and will supplement this notice if new significant facts are learned subsequent to its submission," that document says.
DCA says that on Oct. 11, it became aware of suspicious activity in its environment and initiated an investigation into the incident.
"As part of the investigation, which is being conducted with the assistance of third-party forensic specialists, it was determined that unauthorized individuals accessed certain files on DCA's network between Sept. 18 and Oct. 13," the statement notes.
"Therefore, DCA is conducting a review of the files at risk to identify any individuals whose sensitive information could be impacted. Information that could have been subject to unauthorized access includes name, address, dental diagnosis and treatment information, patient account number treating, billing information, dentist's name, bank account number, and health insurance information, DCA says. "Only approximately 10% of the population had a bank account number potentially impacted," the company reports.
Breach notification documents that DCA filed with Maine do not indicate the nature of the hacking incident.
In a statement provided to Information Security Media Group, Christopher DiIenno, partner at law firm Mullen Coughlin LLC, which is representing DCA, says dental practices that are part of DCA's affiliated network recently announced that they experienced an incident with shared IT resources that may affect the security of some of their patients' and employees' personal information.
"While the dental practices are unaware of any attempted or actual misuse of personal information in relation to the event, the practices have provided potentially affected individuals with notice, information about the event and steps individuals could take to help protect their personal information," he says.
"The practices and Dental Care Alliance take the security of personal information in their care very seriously. As part of their ongoing commitment to the protection of information, the practices worked with third-party specialists to reaffirm the security of their shared IT resources and to enhance the existing security measures in place. The practices have already taken and will continue to take steps to help reduce the likelihood of a similar situation in the future, including enhanced employee training, mandatory password changes and systems upgrades. The practices have also notified the United States Department of Health and Human Services and state regulators, as required."
DCA notes in its statement filed with the Maine attorney general that the company has "implemented additional safeguards and training for its employees. Additionally, DCA is providing impacted individuals with guidance on how to better protect against identity theft and fraud, including advising individuals to report any suspected incidents of identity theft or fraud to their credit card company and/or bank."
The company, however, is not offering prepaid credit or ID theft monitoring to those affected, according to DCA's notification report.
Surge in Attacks
"This breach may be evidence of heightened attacks on healthcare provider organizations that we were warned of by the government in October," says Kate Borten, president of privacy and security consultancy The Marblehead Group. "Regrettably, the attack yielded a wealth of valuable personal data. Patients must be vigilant and closely monitor their credit card, banking, and other financial activity."
As of Thursday, the DCA incident was not listed on the Department of Health and Human Services' Office for Civil Rights' HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals. But if the details are confirmed, the incident would be among the largest breaches reported this year.
Only three other health data breaches posted on the HHS site this year are larger. They involve:
- Michigan-based Trinity Health: It reported in September that more than 3.3 million individuals were affected by a hacking incident involving fundraising software vendor Blackbaud.
- Virginia-based Inova Health System: It reported in September that more than 1.04 million individuals were also affected by the Blackbaud incident.
- Arizona-based health plan Magellan Health Inc.: It reported in June that 1.01 million members were affected by a ransomware incident that also affected several other Magellan units and clients.
More dental practices are turning to vendors for support services, says regulatory attorney Paul Hales of the law firm Hales Law Group. "Dentists like it because it relieves them of administrative and marketing burdens. But dentists remain responsible for protecting patient PHI privacy and security. And HIPAA compliance falls through the cracks if it's not a high priority for [the vendor]," he says.
OCR HIPAA enforcement "has not created the sense of urgency to spur widespread, comprehensive HIPAA compliance," Hales says. "That may change in the Biden administration. Xavier Becerra, prospective HHS secretary, has a strong history of privacy law enforcement and is attorney general of California, which has the nation's most stringent health information privacy laws. Vice President-elect Kamala Harris, Becerra's predecessor as California AG, has an equally strong background in privacy law enforcement."