OrthoMinds, a cloud-based orthodontic software vendor, is notifying patients of a data breach exposing sensitive information online.
Georgia-based OrthoMinds, a vendor of cloud-based orthodontic practice software, is notifying an undisclosed number of patients that their data was exposed to the internet for 10 days in November 2024. However, a security researcher disputes this claim, alleging the exposure lasted at least a month and affected over 200,000 patients. The incident, caused by an unsecured database, potentially compromised names, dates of birth, medical information, health insurance details, payment card data, and Social Security numbers.
See also: What are the 18 PHI identifiers?
A security researcher discovered the exposed server in October 2024 while monitoring online endpoints for unsecured data. Although OrthoMinds states that the exposure lasted only 10 days in November, the researcher contends that the database was accessible for at least a month before the company was notified. The compromised data included 1,863.71 gigabytes of information, consisting of over 300 database backups dating back to November 2020. Many of these backups belonged to OrthoMinds' dental clinic clients, affecting a large number of patients.
OrthoMinds initially reported the breach to federal regulators in January 2025, categorizing it as a hacking or IT incident that impacted 501 individuals. However, the scale of exposed data suggests that the actual number of affected patients is significantly higher.
OrthoMinds acknowledged the breach in a public statement: "In November 2024, OrthoMinds learned of a potential incident within its network environment. Upon discovery, OrthoMinds launched an investigation into the nature and scope of this potential incident, including remediation efforts." The company stated that files stored on certain databases "may have been accessible to others outside its organization between Nov. 17 and Nov. 27, 2024."
The company also reassured clients that "there is no evidence indicating that information was misused or there were attempts to misuse [it] to date." To mitigate potential harm, OrthoMinds is offering complimentary credit monitoring to individuals whose Social Security numbers or payment card information may have been compromised.
The security researcher who identified the breach emphasized that the issue stemmed from a misconfigured cloud storage server with no access controls, allowing anyone to view and download sensitive files without authentication.
Data breaches involving healthcare providers can have serious consequences, including identity theft, financial fraud, and violations of patient privacy. The exposure of sensitive health and payment data can leave affected individuals vulnerable to cybercriminals.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
Organizations can prevent breaches by implementing strong access controls, regularly auditing security settings, encrypting sensitive data, and training employees on cybersecurity best practices.
After a data breach, companies should secure their systems, investigate the cause, notify affected individuals, offer credit monitoring if necessary, and report the incident to regulatory authorities.