Both River Arch Dental and Hamner Square Dental sent patients a letter on July 16 about a breach that occurred when a business partner’s employee violated their security protocols:
We are writing to inform you of the following incident and the steps we have taken and are taking to respond to it. On May 10, 2012, in the course, of upgrading to a new imaging and management software called Eaglesoft to better serve you, a representative of one of our dental practice’s business partners, Patterson Dental, visited our offices and, without our knowledge or consent in violation of our policies and procedures in exporting your data for the new systems conversion process had placed an unencrypted USB memory chip containing data from our practice into a sealed envelope and deposited it at a local post office to be sent through the U.S. mail to their technical headquarters. On May 14, 2012, this envelope arrived at its destination with a tear on the side and without the USB memory chip. The representative and this business partner have searched and continue to search for this USB memory chip, but have not located it to date. They believe it is most likely that the memory chip was “squeezed out” of the envelope and the envelope torn when the letter was put through a processing machine at the post office. We were notified by Patterson Dental on May 18, 2012 of this occurrence. Since that time when we were notified about the missing USB memory chip, we, along with Patterson Dental, have been investigating and continue to investigate this incident. We are taking steps to enhance our security procedures to protect our information to prevent such an incident from happening again.
The USB memory chip contained information, including names, home addresses, telephone numbers, e-mail addresses, ID numbers, dates of birth, driver’s license numbers, social security numbers, dental information and dental insurance information of some of our patients. We have not received any report of fraud or identity theft from any of our patients and are otherwise unable to determine whether your information was ever in fact accessed by an unauthorized person.
[…]