Dental group lied through teeth about data breach, fined $350,000
A US chain of dental offices known as Westend Dental LLC denied a 2020 ransomware attack and its associated data breach, instead telling their customers that data was lost due to an “accidentally formatted hard drive.”
Unfortunately for the organization, the truth was found out. Westend Dental agreed to settle several violations of the Health Insurance Portability and Accountability Act (HIPAA) in a penalty of $350,000.
In October 2020, Westend Dental was attacked by the Medusa Locker ransomware group. Medusa Locker is a type of ransomware that operates under a Ransomware-as-a-Service (RaaS) model, primarily targeting large enterprises in sectors such as healthcare and education. This ransomware is known for employing double extortion tactics, which means they encrypt victims’ data while also threatening to release sensitive information unless a ransom is paid.
Westend Dental decided not to submit the mandatory notification within 60 days, waiting until October 28, 2022—two years later—to submit a data breach notification form to the State of Indiana.
The Indiana Office of Inspector General (OIG) later uncovered evidence that Westend Dental had experienced a ransomware attack on or around October 20, 2020, involving state residents’ protected health information, but Westend Dental still denied there had been a data breach. The investigation was prompted by a consumer complaint from a Westend Dental patient regarding an unfulfilled request for dental records.
In January 2023 a witness confirmed there had been a data breach, which prompted the Indiana OIG to initiate a wider investigation to assess compliance with the HIPAA rules and state laws. This investigation revealed extensive HIPAA violations.
A selection of the other violations that were found during the investigation include:
- HIPAA policies and procedures were not given to or made readily available to employees.
- The company provided no HIPAA training for employees prior to November 2023.
- Nothing showed evidence that a HIPAA-compliant risk analysis had ever been conducted (lists of usernames and passwords in plain text on the compromised server).
- There were no password policies until at least January 2024 (the same username and password were used for all Westend Dental servers that contained protected health information).
- No physical safeguards were implemented to limit access to servers containing patient data. (Some servers were located, unprotected, in employee break rooms and bathrooms.)
Court documents also reveal that because Westend Dental did not conduct a forensic investigation, the exact number of people affected by the breach is unknown. We do know that Westend Dental served around 17,000 patients across all companies and practices at the time of the ransomware attack.
The attackers initially gained access to at least one server, but since there was no monitoring software in place, it is unknown how far the attackers were able to infiltrate other systems. And since the backups that were made by a third party turned out to be incomplete, they were also unable to inform affected patients.
We don’t just report on threats – we help safeguard your entire digital identity
Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.