As a small update to my breach entry of May 19, it seems that Delta Dental notified the New Hampshire Attorney General’s Office about the incident. In a letter from their lawyers dated May 16, Delta Dental states that they first became aware of the loss from an “unrelated third party” on February 24, and that the theft of the disk occurred on February 22.
Most of the letter reiterates what was in their previous public notice about the incident, but it’s significant, I think, that their notice states:
We have requested that The Smile Center dental clinics, their law firm, and their expert witness comply with all notification requirements, including notifying the affected individuals of the theft. However, they have refused to do so.
It is not clear to me on what basis The Smile Center can reasonably refuse to notify individuals of a data breach like this, and they have not issued any statements that might explain. Perhaps their lawyers dispute Delta Dental’s claims about who is legally responsible for notifications in this type of situation.
As of today’s date, the incident has not shown up on HHS’s breach tool web page. I have written to HHS to inquire about whether this incident was reported to them, and if not, will they investigate to find out why not? Of course, it’s possible that it’s already been reported to them but affected fewer than 500 people which is why it wouldn’t show up, but I would like to find out definitively whether this incident was ever reported, as Delta Dental’s correspondence asserts that The Smile Center has not made any notifications. It’s also unclear from currently available information whether Delta Dental has also taken the step of notifying HHS. Since it’s only two weeks since their notification to New Hampshire, it may be that they’ve notified HHS also but it just hasn’t shown up yet on their site.
I’ll keep watching this one because it’s an unusual situation and it strikes me that the patients got caught in the middle of this situation.