Grab a cuppa and settle in, because, blimey — have I got a story for you. Picture this: an Indianapolis dental practice, Westend Dental, got caught by a ransomware attack in October 2020. Yet, it’s just now that we’re starting to see concrete action towards resolving the issue and that’s with our friends at the Indiana state attorney general’s office taking the reins, no thanks to the Health and Human Services (HHS) department.
The folks at Inside Indiana Business broke the news quite recently. And it was quite the pickle that Westend Dental found themselves in, I must say. The state began scrutinising the dental practice’s patient privacy and data protection methods following the cyber attack.
It wasn’t just a slap on the wrist, either. The state’s powers-that-be weren’t having it and charged Westend Dental a whopping $350,000, while also demanding they clean up their privacy act.
Deep down the rabbit hole we go, and it gets more intriguing. The Indiana Attorney General, Todd Rokita, claimed the October cyber attack had left the patients’ personal health information out in the open. But, even when the clock was ticking, Westend Dental proved tardy and possibly sneaky by failing to inform about the breach on time. Even worse, the charges went as far as alleging that the dental practice tried to put the incident under the rug.
Now, anyone with a pinch of sense might think to question how many poor souls had their information exposed. But it seems Westend skipped that step entirely! Yep, you’re reading me right. No efforts were made to launch a forensic investigation. The exact body count, if I may express that way, remains a puzzle.
Originally, it all started with a cryptic ‘tip-off.’ One patient lodged a complaint after their dental records request wasn’t fulfilled – and et voila, the Indianan authorities were on the case. They found out that the dental clinic had been hit by a cyber attack around October 20, 2020, which left personal and health information wide open. The catch? Westend didn’t spill the beans until October 28, 2022, two whole years later! Talk about being late to the party.
In the healthcare world, there’s this thing called the Health Insurance Portability and Accountability Act (HIPAA). Now, it’s an American decree, designed to keep healthcare privacy safe and sound. And as per its rules, you have to raise the alarm within 60 days of discovering a breach.
Now, here’s where it gets proper murky. Despite the fiasco, Westend Dental firstly failed to announce or look into the breach thoroughly. And then, when the Indianan authorities sniffed around, they got such a wobbly tale that insinuated there hadn’t ever been a breach, to begin with! Quite cheeky if you ask me, considering their patient files were trapped behind the unbreakable doors of encryption.
As of now, it’s all hanging in the balance, and Westend will have to own up to their error if the settlement is approved. That includes sending out individual notification letters to every patient they had around November 2023 informing them about the October 2020 disaster. Westend will also give an online heads-up. Plus, other major remedial steps to comply with HIPAA’s Privacy and Security regulations will be imposed.
So that’s our tale. Goes on to show how crucial it is for your local healthcare provider to be diligent about cybersecurity, doesn’t it?
by Parker Bytes
