Exposed: Dental Office Accused of Covering Up Major Data Breach!
In a striking move, Westend Dental has agreed to shell out a hefty $350,000 to the state of Indiana, alongside a commitment to bolster its data security measures. This comes in the wake of a damning revelation about their handling of a ransomware attack that took place back in 2020. The incident was uncovered during an investigation prompted by patient complaints over unreturned requests for dental X-rays.
Related Insight: Simplifying Cybersecurity: A Must-Read
On December 23, 2024, Indiana’s Attorney General, Todd Rokita, filed a federal lawsuit claiming that Westend Dental, which conveniently operates multiple locations across Indianapolis and Lafayette, knew about the ransomware breach back in October 2020 but failed to conduct any forensic investigation. Even more alarmingly, they neglected to notify the patients whose sensitive health information was compromised. In a rather astonishing twist, when a patient inquired about their X-ray records, they were told that the records were inaccessible because of a hacking incident.
The lawsuit outlines serious violations of HIPAA and state data security laws, with allegations that Westend attempted to obscure the true nature of the October 2020 incident.
“Westend Dental was under a legal obligation to promptly report this data breach to the Office of Attorney General, yet it was only discovered through consumer complaints,” the lawsuit states. It wasn’t until October 2022—two long years after the breach—that Westend finally acknowledged the incident, inaccurately claiming it affected fewer than 500 individuals and downplaying the situation as a mere formatting error with a server hard drive.
In contrast to their claims, the state alleges that Westend was well aware that their files had been encrypted by malware during the attack, which was orchestrated by the notorious cybercriminal group, MedusaLocker.
Under a proposed consent order, Westend must not only pay the financial penalty but also undertake extensive data security enhancements and ensure compliance with HIPAA regulations. They are also expected to notify all individuals who could have been impacted by the breach beginning November 2023.
However, due to their failure to conduct a forensic investigation, there’s still uncertainty regarding the full extent of the breach and the number of patients affected. As a result, they’re now obligated to reach out to every patient in their records.
The lawsuit also highlights how Westend Dental’s missteps extend beyond data breaches. Allegations include violations of HIPAA privacy regulations in their responses to online reviews and social media interactions. This includes the unauthorized posting of patients’ protected health information and images—some of minors—without obtaining necessary consents.
This isn’t an isolated incident. Federal regulators have stepped in with enforcement actions against multiple medical facilities, including dental practices, for similar HIPAA infractions involving social media mishaps. Just last year, the U.S. Department of Health and Human Services hit a Los Angeles dental practice with a $23,000 fine after it repeatedly mishandled patient information in its Yelp responses.
As of now, neither the Indiana Attorney General’s office nor Westend Dental has responded to requests for comments on this unfolding situation.
