HIPAA Times news | Concise, reliable news and insights on HIPAA compliance and regulations

Indiana dental practice faces $350K settlement for ransomware cover-up

Written by Caitlin Anthoney | Jan 8, 2025 3:08:15 AM

An Indianapolis-based dental practice group, Westend Dental, has agreed to a $350,000 settlement with the Indiana Attorney General’s Office (OAG) after a ransomware attack exposed patient data and violated federal and state regulations, including the Health Insurance Portability and Accountability Act (HIPAA).

 

What happened

In October 2020, the ransomware group Medusa Locker attacked the dental practice’s systems, encrypting sensitive patient data and leaving behind a ransom note. The breach affected at least 450 individuals and likely more. However, Westend Dental failed to notify affected patients, authorities, or federal agencies as the law requires.  

Instead, the practice claimed that the data loss stemmed from an accidental hard drive formatting issue. For over two years no breach notifications were issued, and the dental group continued to operate without addressing the security vulnerabilities that led to the attack.  

When the Indiana OAG began investigating a patient complaint about inaccessible dental records, a broader picture of negligence and noncompliance emerged.  

 

What the investigation revealed

Unlocked servers, unsecured data

  • Servers storing protected health information (PHI) were left physically unsecured in employee break rooms without access controls or encryption.  
  • Plaintext storage of usernames and passwords was discovered, risking unauthorized access.  
  • No network monitoring systems were in place to detect suspicious activity.  

Ransomware attack mishandled

  • Despite the Medusa Locker ransomware leaving a ransom note, Westend Dental claimed no ransom demand was received. Emails from their IT vendor contradicted this statement, confirming that the attackers demanded payment for decryption keys.  
  • The practice failed to conduct any forensic investigation to assess the breach’s scope or confirm whether data had been exfiltrated.  

HIPAA compliance violations  

  • Westend Dental did not conduct a required risk analysis to identify and address system vulnerabilities.
  • Employees were not trained in HIPAA regulations or data privacy protocols until November 2023 (three years after the breach).  
  • PHI was improperly disclosed in public online forums, such as review responses, without patient consent.  

Operational mismanagement  

  • Dr. Deept Rana, the designated HIPAA compliance officer, had no documented training or responsibilities related to HIPAA.  
  • Kunal Rana, a non-employee managing the practice’s operations, lacked a business associate agreement (BAA), as required for third-party contractors accessing PHI.  

Delayed reporting  

  • No breach notifications were issued to affected patients, the U.S. Department of Health and Human Services (HHS), or the Indiana Attorney General’s Office until 2023, despite the legal requirement to report breaches within 60 days.  

 

What was said

In its initial response, Westend Dental, claimed, “This was not a ransomware attack. We did not receive any ransom demand after the data was corrupted.”

 

Moving forward

To settle the case, Westend Dental agreed to pay $350,000 in penalties, notify affected patients of the breach, and implement corrective measures, including employee training, risk assessments, and system upgrades.  

However, the organization could face additional penalties since the Office for Civil Rights (OCR) investigation is still ongoing.

 

Why it matters  

Small to mid-sized healthcare providers, like dental practices, are particularly vulnerable to ransomware attacks but often lack the resources or awareness to defend against them. 

Furthermore, when providers delay breach notifications, they deny patients the chance to protect themselves through credit monitoring and identity theft measures.

Learn more: FAQs: HIPAA compliance

 

FAQs

What is a data breach?

A breach occurs when an unauthorized party gains access, uses or discloses protected health information (PHI) without permission. Breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.

 

What kind of information does HIPAA protect?

HIPAA safeguards PHI, which includes any information that can identify a patient and relates to their health condition or treatment.

See also:  Communications that must remain HIPAA compliant

 

What are the legal risks of not being HIPAA compliant?

Legal risks include potential lawsuits from affected individuals and the associated costs of settlements, legal fees, and damage to reputation.
View full post