Fraud Management & Cybercrime
Texas Dental Practice Says Patient PHI ‘Accessed, Copied’ in 2021 Malware Incident
A Texas dental and orthodontic practice that has 70 offices in the state and boasts of being “the official dentist” of a National Basketball Association team is notifying more than 1 million individuals of a 2021 malware incident involving patient information being viewed and copied by attackers.
Dallas-based JDC Healthcare Management, which operates under the name Jefferson Dental & Orthodontics and says on its website that it is the “official dentist” of the NBA team the Dallas Mavericks, reported on Thursday to the Texas attorney general’s office that personal and health information of nearly 1.03 million Texans had been affected in the incident, which was discovered last summer.
In a breach notification statement, JDC says that on or about Aug. 9, 2021, it became aware of a malware incident affecting certain company systems.
“JDC immediately worked to restore its systems and launched an investigation, with assistance from third-party computer forensic specialists, to determine the nature and scope of the incident.”
On Aug. 13, 2021, JDC determined that certain documents stored within its environment had been copied from or viewed on the system as part of the cyber incident occurring between July 27 and Aug. 16, 2021. “While to date, the investigation has found no evidence of actual or attempted misuse of data, we are making our community aware in an abundance of caution,” JDC says.
Information affected in the incident includes names, addresses, Social Security numbers, driver’s license numbers, government ID numbers – such as passports and state IDs, medical information, health insurance information and financial information, including credit or debit card numbers.
In its breach notification statement, JDC says that upon learning of the incident, the entity “moved quickly” to investigate and respond, assess the security of its systems and restore functionality to its environment.
“As part of JDC’s ongoing commitment to the security of information, JDC is reviewing and enhancing existing policies and procedures to reduce the likelihood of a similar future event and has reported this incident to law enforcement.”
JDC did not immediately respond to Information Security Media Group’s request for additional information about the incident, including whether it involved ransomware.
Federal Breach Reporting
While JDC reported to Texas regulators that its breach had affected more than 1 million, the entity reported that same breach to federal regulators on Oct. 7, 2021 as a hacking/IT incident involving a network server and affecting only 501 individuals, according to the Department of Health and Human Services’ Office for Civil Rights’ HIPAA Breach Reporting Tool website. That website lists health data breaches affecting 500 or more individuals.
Some experts note that occasionally covered entities will initially report to HHS OCR what the organization anticipates is a major HIPAA breach as affecting only about 500 individuals, before the exact number of affected individuals is determined.
But “501 to 1.3 million is a big delta,” says attorney Andrew Mahler, vice president of privacy and compliance at privacy and security consulting firm CynergisTek.
“I think most organizations try to make their best estimate of the exposure when they report and err on the side of reporting more rather than less so as not to place victims at greater risk. By saying only 501 for several months, when the number was far larger, those individuals were exposed potentially to greater risk,” he says.
Also, whether a protected health information breach report needs updating “by a lot or a little,” organizations should take care to confirm that the reporting and notification are accurate and complete, says Mahler, who is a former HHS OCR investigator.
“If corrections need to be made after the report is submitted, OCR allows organizations to update or correct previous reporting – whether the breach affected 500 or more or fewer than 500 individuals – through adding an addendum via OCR’s website,” he adds.
Privacy attorney David Holtzman of the consulting firm HITprivacy offers a similar assessment. “It is not unusual for a large or complex breach to require several months of investigation to determine the precise number of individuals whose PHI was compromised,” he says.
“Examples would be when paper-based files are put into the waste stream with regular office trash or a healthcare organization has not conducted an inventory of its electronic files or performed regular and periodic backups of its data,” he says.
Under those circumstances, the covered entity should make a timely report of a breach to OCR and other regulatory agencies with the information available at the time of making the notice.
If a covered entity discovers additional information that modifies a previously submitted notice, it should submit an additional breach form on HHS OCR’s portal used for reporting a breach, says Holtzman, who was a senior adviser at HHS OCR.
Notifying Affected Individuals
Meanwhile, when it comes to breach notification statements, “the appropriate language to use – if the exact number of individuals is unknown – is ‘a breach involving at least 500 people; however, we have not been able to ascertain the total number of individuals affected. We have employed a forensic team and are in the process of determining a more accurate number,'” says regulatory attorney Rachel Rose.
“While initially there may be less attention given to a breach because of the number of individuals affected, the harm in the long run could be more problematic,” she says.
Also, entities should consider that when a notice is submitted to either a federal or state government agency, there is an attestation that the submission is true and accurate to the best of the individual’s knowledge, she says.
Besides the disparity in the number of individuals JDC reported to Texas and federal regulators as affected by the breach, there are other troubling issues involving the entity’s incident, some experts note.
“Children’s’ [dental and orthodontic] records were involved, which is even more disconcerting because of the other crimes which are perpetrated against children,” Rose says.
As for the JDC breach potentially compromising records of Dallas Maverick players who are patients of the practice, Rose says: “In social engineering terms, targets such as professional sports figures are termed ‘whale fishing’ because they are big targets with deep pockets.”
There is always a heightened propensity for individuals – including insiders – to access the medical records of celebrities and public figures for a variety of different reasons, she says.
“The best approach is to have limited access to these individuals’ records, which is accomplished by having role-based access and audit logs.”
Many organization also take additional steps to protect what they consider VIP patients, including implanting certain electronic health record controls and conducting staff training, says Mac McMillan, CEO of CynergisTek.
“It is absolutely the case that patients of notoriety create interest for those who treat them – particularly those who advertise it, as JDC has done – or who are located near public or prominent organizations, be it sports, government, theatre,” he says.
McMillan adds that the bottom line is: “Right now, all of healthcare is at great risk.”
The Dallas Mavericks did not immediately respond to ISMG’s request for comment, including whether any of its team members had been notified that their health and personal information was potentially compromised in the JDC incident.