Dental Practice Fined $350,000 for HIPAA Violations
January 8, 2025
OVerview
In December 2024, Westend Dental, an Indianapolis-based dental practice, agreed to pay a $350,000 penalty to the Indiana Attorney General's Office to resolve multiple alleged violations of federal and state laws, including the Health Insurance Portability and Accountability Act (HIPAA)1.
Background
The investigation began after a patient complained about being unable to obtain their dental records. It was discovered that Westend Dental had experienced a ransomware attack by the Medusa Locker group on or around October 20, 2020, which compromised patients' protected health information (PHI). The practice failed to report the breach promptly, only notifying the Indiana Attorney General's Office on October 28, 2022—more than two years later—and initially denied that a ransomware attack had occurred.
Violations
The Indiana Attorney General's Office identified several violations, including:
- Failure to Comply with the HIPAA Breach Notification Rule: Westend Dental did not notify affected patients within the required 60-day period following the discovery of the breach.
- Failure to Comply with the HIPAA Security Rule: The practice lacked adequate administrative, physical, and technical safeguards to protect PHI.
- Failure to Comply with the HIPAA Privacy Rule: Unauthorized disclosures of PHI occurred, and there was a lack of proper notices of privacy practices.
- Violations of Indiana State Laws: The practice failed to implement reasonable procedures and provide timely breach notifications as required by state law.
Settlement and Corrective Actions
As part of the settlement, Westend Dental agreed to:
- Pay a $350,000 financial penalty.
- Implement a corrective action plan to ensure compliance with HIPAA and state laws.
- Notify all individuals who were patients as of November 23, 2023, about the breach.
- In the United States, data breaches have been found to cost between $140 to $160 per compromised record in 20231. This figure encompasses various expenses, including detection, notification, and post-breach response efforts, but does not include the 24 month credit monitoring cost of $240 to $720 per individual2.
Lessons Learned
The Westend Dental case underscores the importance of proactive and comprehensive measures to protect sensitive patient information. Healthcare organizations must integrate the following practices to prevent similar incidents:
- Maintaining a Comprehensive Data Registry: A well-organized data registry ensures that organizations can identify where sensitive patient data is stored, who has access, and how it is used. This visibility is critical for identifying vulnerabilities and ensuring compliance with HIPAA and privacy standards.
- Implementing Secure, Offsite Backups: Regularly backing up data to secure, offsite locations provides a safety net against ransomware attacks and accidental data loss. Offsite backups should be encrypted and routinely tested to ensure they can be restored effectively during emergencies.
- Deploying Advanced Antivirus and Anti-Malware Solutions with Zero Trust: While robust antivirus and anti-malware tools are essential for identifying and mitigating threats, organizations should also implement a Zero Trust security model. This model assumes no entity—inside or outside the network—is trusted by default. It requires continuous verification of all users and devices attempting to access systems, minimizing potential attack surfaces.
- Strengthening Incident Response Plans with Training: A detailed and regularly tested incident response plan is vital. It should outline steps for containment, investigation, recovery, and notification. Furthermore, incident response training for all employees, particularly those involved in security and compliance, ensures that the team can act swiftly and effectively during a breach.
- Annual Reviews and Updates to the System Security Plan: HIPAA requires organizations to annually review and update their system security plans. This ensures that policies, safeguards, and procedures remain effective against evolving threats. Regular updates should incorporate lessons learned from incidents, emerging technologies, and regulatory changes.
- Engaging in Regular Security Audits and Penetration Tests: Conducting routine security audits and penetration tests helps identify gaps in security protocols. Audits ensure compliance with the latest regulations and provide a roadmap for addressing vulnerabilities. Audits should be performed at least annually with quarterly (or monthly) penetration testing.
- Obtaining Correct Insurance Coverage and Ensure Compliance with Requirements: Cybersecurity insurance and breach liability coverage are essential for mitigating the financial impact of data breaches. These policies can help cover the costs of breach notifications, credit monitoring, legal fees, and other associated expenses. These policies should be reviewed annually with both your insurance agent and your IT provider to ensure that you have the right coverage and that your internal policies and procedures are following the policy requirements. The last thing you want is to have an incident, only to find out that your insurance will not cover it because you did not comply with the insurance requirements.
By adopting these practices, healthcare providers can mitigate risks, ensure regulatory compliance, and strengthen their defenses against the ever-evolving landscape of cyber threats.
As of October 14, 2025, Microsoft will officially end support for Windows 10. After this date, the operating system will no longer receive security updates, technical assistance, or software updates from Microsoft. While your Windows 10 PC will continue to function, using an unsupported operating system poses significant risks.
Microsoft’s ESU program provides critical security updates for Windows 10 devices beyond the official end-of-support date. This is a paid service designed for individuals and businesses that need extra time to transition to a supported operating system.
The cloud has the ability to change the game for your dental practice, especially if you're have or are interested in branching out to multiple locations.
Let’s put you in the perspective of a patient stepping into a dental office: what’s the first thing you notice? Maybe it’s how modern and clean the space looks or how quickly you can get connected to their Wi-Fi. Or perhaps it's the opposite, and you find yourself in a place that seems to have taken a time machine back to the '90s, complete with outdated computers and a spotty internet connection.
Let's talk about something that may not get a ton of attention during your workday but is extremely important and always looming in the background - HIPAA compliance.
Want to integrate or upgrade any of the technology we’ve covered in this blog but don’t know where to start? That’s where we come in! We’re experts who specialize in the dental industry and know how to upgrade your practice without disrupting it.
In 2014, 4GB to 8GB of RAM was generally considered sufficient for most business operations. Standard tasks like document management, light multitasking, and simple software applications could easily run on 4GB, with 8GB being recommended for more intensive use. This was especially true in professions such as legal, dental, and healthcare, where electronic record systems and case management software were just beginning to integrate more advanced features. However, as software became more sophisticated and cloud computing started playing a central role, the demand for memory grew. Legal professionals now rely on cloud-based management systems, AI-powered document analysis, and e-discovery tools, which all require more RAM for efficient functioning. Similarly, the medical profession witnessed the proliferation of complex EHR systems, AI diagnostics, and telemedicine solutions, pushing the baseline RAM requirement to 16GB in most offices.
CDK Global serves thousands of dealerships across the country, providing essential services such as dealer management systems, CRM tools, and digital marketing solutions.
The disposal of old IT equipment is as critical as the implementation of new technologies.
Today, let's chat about something that’s crucial but often overlooked in our busy offices: the security of our internet routers and how a proactive patching policy can save us from a world of trouble. The Router Massacre: A Wake-Up Call In October 2023, a major security incident highlighted by Cybernews underscored the vulnerability of internet routers. Hackers targeted and compromised over 600,000 routers, leaving many American’s offline and exposed to potential data breaches. This alarming event isn't just a concern for home users—it's a red flag for all of us in professional settings where sensitive data is at stake. The Pumpkin Eclipse Attack: A Deeper Insight This recent incident referred to as the “Pumpkin Eclipse” campaign exemplifies the importance of proactive security measures. This sophisticated attack involved hackers exploiting vulnerabilities in enterprise-grade network devices, affecting both home users and businesses. The attackers could intercept and manipulate traffic, gaining access to sensitive data. This incident is a stark reminder that cyber threats are evolving, becoming more complex and harder to detect. Why Should You Care? In your line of work, whether it's healthcare, dental, or legal services, you handle highly sensitive information. Patient records, financial information, legal documents—all of these are gold mines for cybercriminals. A compromised router can act as a gateway for these attackers, potentially leading to data breaches that could have devastating consequences. The Role of Managed Service Providers (MSPs) Here’s where Managed Service Providers (MSPs) come in. An MSP can be your cybersecurity guardian, ensuring that your systems are up-to-date with the latest security patches. They provide continuous monitoring and management, reducing the risk of cyberattacks. The Importance of a Proactive Patching Policy A proactive patching policy means you are not just reacting to threats as they come, but actively preventing them. This involves regularly updating all software and firmware, particularly for network devices like routers. Why is this important? Massacre of WiFi routers leaves 600,000 American families offline | Cybernews The Pumpkin Eclipse - Lumen Prevents Exploitation of Vulnerabilities: Hackers constantly look for known vulnerabilities in outdated software. Regular patching closes these gaps. Enhances Overall Security: Patching ensures that all security measures are up-to-date, making it harder for unauthorized users to access your network. Maintains Compliance: For healthcare, dental, and law offices, compliance with regulations like HIPAA and FTC guidelines is non-negotiable. Compliance with HIPAA and FTC Regulations For those in healthcare and dental practices, HIPAA (Health Insurance Portability and Accountability Act) mandates the protection of patient information. Similarly, law offices must adhere to FTC (Federal Trade Commission) regulations, which require robust data security measures. Under HIPAA: Regular updates and patches are required to protect electronic protected health information (ePHI). Failure to comply can result in hefty fines and legal consequences. Under FTC Regulations: Businesses must take reasonable steps to secure personal data. An unpatched router leading to a data breach could be seen as a failure to protect consumer information. The Critical Role of Commercial-Grade Firewalls While regular patching is vital, it's also essential to use a commercial-grade firewall. Unlike consumer-grade firewalls, commercial-grade firewalls offer advanced features such as: Intrusion Prevention Systems (IPS): Actively monitors and blocks suspicious activities. Advanced Threat Protection (ATP): Guards against malware, ransomware, and other advanced threats. Higher Performance and Reliability: Ensures your network can handle the demands of a professional environment. Implementing a commercial-grade firewall adds an extra layer of defense, significantly reducing the risk of unauthorized access and data breaches. Why Partner with an MSP? Managing all this on your own can be overwhelming. An MSP brings expertise, ensuring that your network devices, including routers, are regularly patched and maintained. They offer: 24/7 Monitoring: Constant vigilance over your network’s health. Regular Updates: Timely application of patches and updates. Security Audits: Regular checks to ensure compliance with all relevant regulations. Peace of Mind: Knowing that your network is secure allows you to focus on what you do best—providing excellent care and services to your clients and patients. Take Action Now Don’t wait for a cyberattack to highlight the vulnerabilities in your system. Reach out to an MSP today and establish a proactive patching policy. Protect your network, safeguard your sensitive information, and stay compliant with HIPAA and FTC regulations. Also, ensure you have a robust, commercial-grade firewall in place to bolster your security posture. Your clients and patients trust you with their most sensitive information. Let’s make sure that trust is well-placed by keeping our cybersecurity measures robust and up-to-date. Stay safe and secure!
Our Services
Reach Us
Corporate Office: Raleigh, NC 27614
Servicing all of North Carolina
