Dave Bohman of WNEP recently reported on a breach involving Lanap & Dental Implants of Pennsylvania. The breach involved someone uploading a copy of the dental group’s practice management software (Dentrix) to a torrent site. The upload didn’t just contain the software, however. It also contained unencrypted patient record databases. As a result, over 11,000 patients – mostly from their Williamsport office – had their personal and protected health information available for free downloading.
Although the breach was first reported in the media this week, it seems that the patients’ protected health information – including Social Security numbers for almost 9,000 patients – has been available on torrent sites for almost four years now. And at least some of the affected patients reportedly never knew their sensitive information had been exposed until WNEP contacted them.
Bohman reported:
Scott McIntosh, a lawyer for the dental practice, and its owner Dr. David DiGiallorenzo called this, “An unauthorized hacking incident,” adding, “Much as the sanctity of the home is violated in a burglary, this illegal intrusion has caused real and lasting damage, and Dr. DiGiallorenzo and his patients are the victims. “
When the practice learned of the breach last fall, it sent 5,000 letters to patients.
You can read Bohman’s full article and watch the video of his newscast on WNEP.
The discrepancy in numbers – 11,000 patients in the database records but only 5,000 notification letters – caught my attention, and I started digging into the breach and the files.
My inspection of the files revealed that patients’ names, addresses, dates of birth and telephone numbers are in the database. The majority of the patients had their Social Security numbers listed. The patients’ records include the dates of their appointments and the types of services provided. There are also files containing the patients’ dental insurance information and account balances. Other records showed what prescriptions had been written for named patients (mostly antibiotics and pain killers). In other words, a criminal would have pretty much everything needed to steal someone’s identity and/or engage in medical identity theft.
After doing some more investigating, I contacted Scott McIntosh by e-mail to ask him to verify or clarify a few points. His response was cordial, but unhelpful:
In lieu of addressing your questions, I would like to advise you that we have complied fully with the state and federal notification requirements for such a breach. This matter has been referred to the FBI for investigation and, hopefully, prosecution.
Dr. DiGiallorenzo and his practice will have no further comment.
As I replied to Mr. McIntosh, if his client would like to reconsider their “no comment” response and provide additional details, I will be happy to update or correct this post, as needed. In any event, here are my questions and concerns:
Was it a Hack or Employee Error?
Mr. McIntosh asserted that they had been the victims of a hack. Was a hack actually confirmed by the forensic investigation or is that just their belief? The individual who uploaded the software and database to the torrent site had written:
I found a USB flash drive in the middle of the road and it had this Dentrix software on it. I don’t know if it needs activated or who would even be looking for this type of software, but someone put on a flash drive for a reason, so here ya go.
Of course, that person could simply have been lying about how s/he obtained the program and database, but could it have been that simple? Could someone involved in the practice have downloaded a copy of everything onto a flash drive to take it home to work on it and subsequently lost it? From inspection of the data in the torrent, it appears that some of the files were last updated on May 1, 2009. The files were first uploaded to a torrent site in February 2010, and the dental practice was notified by the person who recognized that there was a breach on September 17, 2012. Did the practice’s logs go far enough back for the forensic investigators to conclusively determine in October 2012 what happened on or about May 1, 2009?
Encryption vs. Obfuscation: Were the Security Controls HIPAA-Compliant?
From what I’ve read on CERT, the Dentrix version in question used FairCom’s “standard encryption” which really wasn’t encryption at all. In response to a vulnerability reported to CERT, FairCom recently re-branded that system as “Data Camouflage” and noted the importance of implementing AES encryption. But back in 2009, what did their documentation say and did the dental practice have AES encryption enabled or did they rely on the default and weaker protection of “standard encryption” that was camouflage/obfuscation but not encryption – or was there no protection at all?
I realize encryption is not required under the HIPAA security rule, but is data camouflage or obfuscation sufficiently protective as an alternative, even with a firewall? I would think it’s not, but that’s for HHS to rule on, I think. Of course, if it turns out the data were downloaded by an employee who lost an unencrypted flash drive, that issue might become somewhat secondary for this breach and focus would presumably shift to policies, access control, monitoring and audit trails.
The Threat to Patients of ID Theft is Increasing Daily
The database has been online since February 2010, and is now available on about 18 sites as of yesterday. Indeed, as I’ve checked into things, I’ve discovered that the number of sites hosting the torrent in question and the number of seeders have both been increasing. One torrent site alone reports over 9,000 downloads of the files. It’s important to note that many of the mirrors were created months ago, long before WNEP ran its story.
As mentioned earlier, the dental practice was notified of the breach on September 17, 2012. In November 2012, the practice reportedly notified (only?) 5,000 people by letter. They reportedly did publish a substitute notice in local media (as required by HITECH), but why weren’t there over 11,000 notification letters – or at the very least, letters for everyone whose SSN was in the database?
Lee J of CyberWarNews.info routinely analyzes data dumps, and has partially analyzed this one. In his analyses, Lee found that there were 8,939 Social Security numbers linked to patients’ names and addresses, a finding that is consistent with my inspection of the files. And since patients’ dates of birth were also stored in the database, ID thieves have all they need to steal over 8,900 patients’ identities. So why were only 5,000 patients notified by letter? I wish the practice had answered that question with an actual explanation instead of just an assertion that they complied with all breach notification requirements. There may be something I’m not aware of, but I genuinely do not understand how they determined only 5,000 letters were required.
Did the Practice Offer Affected Patients any Free Credit Monitoring Services?
Although no federal or state law requires breached entities to offer free credit monitoring services, HIPAA does require breached entities to mitigate harm or potential harm. Given that thousands of patients’ SSN remain online, these patients have been, and remain at, significant risk of identity theft. What is the dental practice doing to help mitigate harm or risk of harm, other than telling people to check their credit reports? If they have offered patients free credit monitoring and other services, my apologies, but I was unable to find any reference to such support.
I note that although WNEP reports that there is no evidence that any of the personal information taken from the Williamsport dental office has been used by identity thieves, such statements don’t mean that much considering how many patients seemingly were not informed that the practice had had a breach. Without that notification, even if they had become victims of ID theft, they wouldn’t have any reason to notify the dental practice. In this case, “no evidence of ID theft” is not evidence of no ID theft.
What, if Anything, did the Practice and Dentrix/HenrySchein Do to Try to Get the Torrent Removed?
Did the dental practice try but fail, or didn’t they try because some of the sites are hosted outside of the U.S., or…? And did Dentrix/HenrySchein make any effort to get the files removed by filing a copyright infringement notice with the sites? Note that I am not suggesting that Dentrix had any legal obligation to do anything, but did they use their copyright protection to try to help?
Why Wasn’t this Breach listed on HHS’s Public Breach Tool?
Because HHS sometimes delays posting breaches to the public list, PHIprivacy.net sent an inquiry to HHS to verify whether this breach had been reported to them. According to an HHS spokesperson, the breach was reported to them in October 2012 and they are now investigating why it wasn’t posted to the public breach tool. Had it been posted promptly, perhaps more patients might have been aware sooner that they were and are at risk. Regular readers know that I routinely post updates here based on HHS’s breach tool and I could have started investigating this over a year ago to try to increase public awareness of the dangers with this incident. While my blog has a humble following, my reports are often picked up by larger media outlets that could have helped alert patients.
Send in the Investigators
I’ve previously expressed some reservations that perhaps the Federal Trade Commission (FTC) should not have initiated enforcement action against LabMD over a file-sharing breach that occurred in 2008. In the LabMD case, patient records wound up exposed after an employee installed Limewire on their personal laptop that they also used for work. In this case, files containing patient data were intentionally uploaded to a file-sharing site by an external party. Whether the party knew they contained personally identifiable information seems doubtful, but this incident is exponentially worse than the LabMD incident because in this case, patients’ PHI and SSNs remain online and available to identity thieves, and there is nothing the patients could do to prevent the potential harm. Given that the FTC has sued businesses where consumers have experienced, or might experience, significant harm, might the FTC investigate this dental practice for potential violations of the FTC Act?
And what has HHS done since they were first notified last year? Do they understand that thousands of patients are still at risk? Should HHS make this case a priority to investigate and to work with the dental practice to ensure they take any additional steps that might mitigate harm or potential harm to patients? I’d hope so.
Lanap & Dental Implants of Pennsylvania view themselves and their patients as the victims of a hacker. They may be correct (although I’ve yet to see any confirmation of hack as opposed to employee error), but in either case: has the practice really done enough to make the patients whole after this breach?
If I were one of their patients and hadn’t received any notification letter and hadn’t received any offer of free credit monitoring and credit restoration services, I sure wouldn’t think so.Would you? But then, there may be things I don’t know yet. I have filed under Freedom of Information for certain documents and will provide an update to this breach report when I obtain more information.
[Post edited 12-14-13 to clarify confusion as to what type of encryption was part of the Dentrix software package. Although user passwords were an option, there does not appear to have been a genuine encryption option. If HenrySchein Dental or FairCom would like to provide clarification or additional information on that, I’d appreciate it. In any event, the data that were available online were not encrypted at all.]