Dental Practice Fined $350,000 for HIPAA Violations

The investigation began after a patient complained about being unable to obtain their dental records. It was discovered that Westend Dental had experienced a ransomware attack by the Medusa Locker group on or around October 20, 2020, which compromised patients' protected health information (PHI). The practice failed to report the breach promptly, only notifying the Indiana Attorney General's Office on October 28, 2022—more than two years later—and initially denied that a ransomware attack had occurred. 

The Indiana Attorney General's Office identified several violations, including:

• Failure to Comply with the HIPAA Breach Notification Rule: Westend Dental did not notify affected patients within the required 60-day period following the discovery of the breach. 
• Failure to Comply with the HIPAA Security Rule: The practice lacked adequate administrative, physical, and technical safeguards to protect PHI. 
• Failure to Comply with the HIPAA Privacy Rule: Unauthorized disclosures of PHI occurred, and there was a lack of proper notices of privacy practices.
• Violations of Indiana State Laws: The practice failed to implement reasonable procedures and provide timely breach notifications as required by state law. 
  

As part of the settlement, Westend Dental agreed to:

• Pay a $350,000 financial penalty.
• Implement a corrective action plan to ensure compliance with HIPAA and state laws.
• Notify all individuals who were patients as of November 23, 2023, about the breach.
• In the United States, data breaches have been found to cost between $140 to $160 per compromised record in 20231. This figure encompasses various expenses, including detection, notification, and post-breach response efforts, but does not include the 24 month credit monitoring cost of $240 to $720 per individual2.

The Westend Dental case underscores the importance of proactive and comprehensive measures to protect sensitive patient information. Healthcare organizations must integrate the following practices to prevent similar incidents:

• Maintaining a Comprehensive Data Registry: A well-organized data registry ensures that organizations can identify where sensitive patient data is stored, who has access, and how it is used. This visibility is critical for identifying vulnerabilities and ensuring compliance with HIPAA and privacy standards.
• Implementing Secure, Offsite Backups: Regularly backing up data to secure, offsite locations provides a safety net against ransomware attacks and accidental data loss. Offsite backups should be encrypted and routinely tested to ensure they can be restored effectively during emergencies.
• Deploying Advanced Antivirus and Anti-Malware Solutions with Zero Trust: While robust antivirus and anti-malware tools are essential for identifying and mitigating threats, organizations should also implement a Zero Trust security model. This model assumes no entity—inside or outside the network—is trusted by default. It requires continuous verification of all users and devices attempting to access systems, minimizing potential attack surfaces.
• Strengthening Incident Response Plans with Training: A detailed and regularly tested incident response plan is vital. It should outline steps for containment, investigation, recovery, and notification. Furthermore, incident response training for all employees, particularly those involved in security and compliance, ensures that the team can act swiftly and effectively during a breach.
• Annual Reviews and Updates to the System Security Plan: HIPAA requires organizations to annually review and update their system security plans. This ensures that policies, safeguards, and procedures remain effective against evolving threats. Regular updates should incorporate lessons learned from incidents, emerging technologies, and regulatory changes.
• Engaging in Regular Security Audits and Penetration Tests: Conducting routine security audits and penetration tests helps identify gaps in security protocols. Audits ensure compliance with the latest regulations and provide a roadmap for addressing vulnerabilities. Audits should be performed at least annually with quarterly (or monthly) penetration testing.
• Obtaining Correct Insurance Coverage and Ensure Compliance with Requirements: Cybersecurity insurance and breach liability coverage are essential for mitigating the financial impact of data breaches. These policies can help cover the costs of breach notifications, credit monitoring, legal fees, and other associated expenses. These policies should be reviewed annually with both your insurance agent and your IT provider to ensure that you have the right coverage and that your internal policies and procedures are following the policy requirements. The last thing you want is to have an incident, only to find out that your insurance will not cover it because you did not comply with the insurance requirements.

By adopting these practices, healthcare providers can mitigate risks, ensure regulatory compliance, and strengthen their defenses against the ever-evolving landscape of cyber threats.