How to respond to a data breach in a dental prcatice

In dental practices, a data breach typically involves the compromise of patient information, such as personal details, medical records, or financial data. Responses to a breach can vary depending on the severity of the compromise to patient data. 

What is a data breach?

A data breach occurs when unauthorized individuals gain access to, acquire, or disclose protected or sensitive data without proper authorization. It involves the compromise of data, such as personal information, financial records, or intellectual property, either through malicious activities or unintentional actions. Data breaches can be caused by cyberattacks, system vulnerabilities, physical theft, insider threats, and more. 

Related: What is a data breach?

Steps for Dental practices dealing with a data breach

Incident identification

Promptly identify and document any potential breach or security incident. This can be achieved through various means, including system logs, security monitoring tools, employee reports, or suspicious activity alerts.

Response team formation 

Assemble a designated incident response team that includes key individuals from IT, compliance, legal, and management of these roles that have not been assigned preemptively. This team will be responsible for coordinating and executing the breach response plan. 

Preliminary assessment

Conduct an initial assessment to gather information about the breach. Determine the nature and scope of the incident, the type of data potentially compromised, and the potential impact on patients and dental practice.

Containment

Take immediate action to contain the breach and prevent further unauthorized access or disclosure of PHI. This may involve isolating affected systems, disabling compromised accounts, or implementing temporary security measures.

External expert involvement

Engage external experts, such as legal counsel or cybersecurity professionals experienced in HIPAA breaches, to provide guidance and support throughout the assessment and containment process.

Investigation and documentation

Conduct a thorough investigation into the breach to determine its root cause, the extent of the data compromised, and any vulnerabilities that allowed the breach to occur. Document the findings, actions taken, and remediation efforts.

Notification and reporting

Determine whether the breach meets the criteria for notification to affected individuals, the Office for Civil Rights (OCR), or other regulatory bodies. Follow the appropriate notification and reporting requirements within the specified timeframe.

Mitigation and assistance

Implement measures to mitigate the impact of the breach on affected individuals. This may include offering credit monitoring services, providing guidance on protecting personal information, or assisting with identity theft resolution.

Documentation retention

Maintain detailed records of the breach response process, including incident reports, notifications, evidence collection, and actions taken. These records are necessary for compliance, legal purposes, and potential audits.

American Dental Association (ADA) guidelines for data breaches

The ADA provides guidelines and resources to assist dental practices in safeguarding personal health information (PHI) and protecting against cyber threats. Industry specialist Paul Redding notes in an interview with ADA, “I think [a] major misconception dental practices often operate under is the mistaken belief that because you use an electronic health record or practice management software your data is protected and your practice is compliant,” 

General guidance includes: 

1. Administrative safeguards: The ADA recommends that dental practices develop a comprehensive security plan that outlines policies and procedures for protecting PHI. This plan should include measures such as workforce training and awareness programs to educate employees about their roles and responsibilities in safeguarding patient data. The guidelines also stress the requirement to designate a privacy and security officer who will oversee compliance with privacy and security policies.
2. Technical safeguards: Dental practices are encouraged to implement technical safeguards to secure electronic PHI (ePHI). This includes using access controls like unique user IDs and passwords to limit access to authorized individuals. The ADA advises the use of encryption for transmitting ePHI over networks and recommends implementing mechanisms for audit logs, which can help track and monitor access to ePHI systems.
3. Physical safeguards: The ADA guidelines emphasize the need to protect physical access to areas where PHI is stored. This involves measures such as securing computer workstations and restricting access to storage areas that contain PHI. The guidelines also recommend implementing policies for the disposal of PHI, including shredding or permanently destroying paper records and properly wiping electronic media.
4. Risk assessments: The ADA advises dental practices to conduct regular risk assessments to identify potential vulnerabilities and evaluate the effectiveness of security measures. These assessments help in identifying areas of improvement and developing strategies to mitigate risks. The guidelines suggest that dental practices should document their risk assessments and periodically review and update them to address emerging threats and changes in technology.

When to report to the OCR

A dental practice meeting the definition of either covered entity or business associate should report a HIPAA data breach to the Office for Civil Rights (OCR) in the following circumstances:

1. Breach of 500 or more individuals: If a data breach affects 500 or more individuals, the dental practice must report the breach to the OCR without unreasonable delay, but no later than 60 days from the discovery of the breach.
2. Breach of fewer than 500 individuals: If a data breach affects fewer than 500 individuals, the dental practice must maintain a breach log and annually submit a report to the OCR. This report should summarize all breaches that occurred during the calendar year, even if they were discovered in previous years.
3. Immediate notification: If a breach poses a significant risk of harm to individuals, the dental practice should promptly notify affected individuals, the OCR, and potentially the media. The dental practice should provide the necessary details of the breach, the steps taken to mitigate the risk, and the support offered to affected individuals.

Communicating with patients 

A HIPAA breach should be communicated to patients without unreasonable delay once the breach has been discovered and assessed. Prompt notification enables affected patients to take necessary steps to protect themselves and mitigate potential harm.

Dentists should communicate the breach with patients by preparing a clear and concise breach notification letter that includes details such as a description of the breach, types of compromised information, potential risks, and mitigation steps. This should also be personalized to each affected patient, provide clear instructions on protective actions, and use the appropriate communication method such as HIPAA compliant email. 

Incidents of dental data breach

Notable dental-related data breaches include the Professional Dental Alliance (PDA) suffered a breach between March 31 and April 1, 2021, due to an email phishing incident. The breach did not involve patient electronic dental records or dental images, but sensitive personal information may have been present in the compromised email accounts. The breach impacted 125,760 patients across multiple states and was reported to the OCR. 

Related: Do dentists need to comply with HIPAA?

FAQs

What are some common causes of healthcare data breaches?

Common causes include phishing attacks, ransomware, insider threats, and inadequate cybersecurity measures such as failure to encrypt sensitive data.

How long does it typically take to identify and contain a data breach in healthcare?

On average, it takes about 212 days to identify a data breach and an additional 75 days to contain it.

What regulatory body oversees healthcare data breaches in the U.S.?

The OCR within the HHS oversees and investigates reported healthcare data breaches.