DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Massachusetts General Hospital Dental Group notifies patients of Patterson FTP server incident

Posted on June 29, 2016 by Dissent

Back in February, this site reported that a Patterson Dental anonymous FTP server was leaking patient data, according to a security researcher who had discovered the problem and reported it to them and then this site. One of the entities, the Massachusetts General Hospital Dental Group, had patient data caught up in that leak, and was notified of that by DataBreaches.net.

Since then, I’ve wondered why I didn’t see the incident on HHS’s breach tool or any public notice.

Today, they issued their notice. It’s somewhat concerning because it seems that Patterson Dental may still be claiming they were hacked instead of acknowledging that there was no security on those files that prevented anyone from downloading them. I do not believe the researcher “hacked” them. I believe they failed to secure their files and he just went ahead and downloaded them while downloading other files from their server – a server that had been created to provide support documentation for their product.. If what the researcher did is a violation of the federal hacking statute, CFAA, then all of us are at risk every time we download a file because maybe, unbeknownst to us, the entity didn’t intend to make that particular file available.

The researcher was raided by the FBI  on May 27, as I reported on the Daily Dot. That appears to be the day after they gave Massachusetts General the green light to start notifying.

Alarming patients by telling them their data was hacked if it was only downloaded by a researcher who promptly notified the responsible party is somewhat misleading. Despite MGHDG’s statement, I’m still coding this incident as “exposure,” not “hacking.”

Here is Massachusetts General Hospital’s notification:

Massachusetts General Hospital (MGH) is deeply committed to the security and confidentiality of our patients’ information, including any such information maintained by our third-party vendors. Regrettably, this notice concerns an incident involving some of that information.

Patterson Dental Supply Inc. (PDSI) is a trusted third-party vendor that provides software that helps manage dental practice information for various providers, including MGH. On February 8, 2016, we learned that an unauthorized individual gained access to electronic files used on PDSI’s systems, which we later confirmed contained some MGH dental practice information. PDSI reported the incident to law enforcement. Thereafter, law enforcement investigators required that any notification to potentially affected individuals and any public announcement of the incident should be withheld while they were conducting their investigation. On May 26, 2016, law enforcement gave permission to notify, and we began notification as quickly as possible once we completed our investigation.

Based on our investigation, with the cooperation of PDSI, we determined that the files stored by PDSI included limited information related to some of our dental practice patients. That information included patient name, date of birth and Social Security number and, in some instances, may have also included date and type of dental appointment, dental provider name and medical record number. This incident did not involve any unauthorized access to any of MGH’s systems or to any files maintained by MGH.

We are committed to the security of sensitive information maintained by our third-party vendors and are taking this matter very seriously. To help prevent this type of incident from happening again, PDSI took steps to enhance the security of its systems that maintain dental practice data.

We regret any inconvenience caused by this incident. We began mailing letters to affected individuals Wednesday, June 29, 2016, and we have established a dedicated call center to answer any questions they may have. If you believe you may be affected and have not received a letter by July 14, or if you have additional questions, please call our dedicated assistance line at (877) 223-3764, Monday through Friday, 9 a.m. to 7 p.m. EST (closed on U.S. observed holidays) and provide reference number 5211062216 when calling.

Category: Commentaries and AnalysesExposureHealth DataOf NoteU.S.

Post navigation

← TheDarkOverlord names the Farmington victim and releases data
MN: Washington County security breach may affect Section 8 residents →

3 thoughts on “Massachusetts General Hospital Dental Group notifies patients of Patterson FTP server incident”

  1. Justin Shafer says:
    June 29, 2016 at 7:21 pm

    Wonder what maricopa county will say…..

    Dummies.

  2. Trent says:
    June 30, 2016 at 12:37 pm

    Patterson should not be given the luxury of a free pass on this one. They played fast and loose with the security of their clients database and the patient info within. Passing the buck claiming they were hacked is absolute horse puckey. They have caused irreparable harm to the researchers reputation and could have easily destroyed his business by falsely accusing him of hacking when they simply left data out in the open. Patterson didn’t get raided at gunpoint.

    1. Dissent says:
      June 30, 2016 at 12:53 pm

      I agree completely. I do not trust that HHS OCR will really investigate this like it should be investigated. Someone should probably file a formal complaint with HHS OCR that points them to other coverage and statements. I do want to see the Probable Cause affidavit when it’s available.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon
  • US govt login portal could be one cyberattack away from collapse, say auditors
  • Two Men Sentenced to Prison for Aggravated Identity Theft and Computer Hacking Crimes
  • 100,000 UK taxpayer accounts hit in £47m phishing attack on HMRC
  • CISA Alert: Updated Guidance on Play Ransomware
  • Almost one year later, U.S. Dermatology Partners is still not being very transparent about their 2024 breach

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant
  • US State Dept. says silence or anonymity on social media is suspicious

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.