DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Massachusetts General Hospital Dental Group notifies patients of Patterson FTP server incident

Posted on June 29, 2016 by Dissent

Back in February, this site reported that a Patterson Dental anonymous FTP server was leaking patient data, according to a security researcher who had discovered the problem and reported it to them and then this site. One of the entities, the Massachusetts General Hospital Dental Group, had patient data caught up in that leak, and was notified of that by DataBreaches.net.

Since then, I’ve wondered why I didn’t see the incident on HHS’s breach tool or any public notice.

Today, they issued their notice. It’s somewhat concerning because it seems that Patterson Dental may still be claiming they were hacked instead of acknowledging that there was no security on those files that prevented anyone from downloading them. I do not believe the researcher “hacked” them. I believe they failed to secure their files and he just went ahead and downloaded them while downloading other files from their server – a server that had been created to provide support documentation for their product.. If what the researcher did is a violation of the federal hacking statute, CFAA, then all of us are at risk every time we download a file because maybe, unbeknownst to us, the entity didn’t intend to make that particular file available.

The researcher was raided by the FBI  on May 27, as I reported on the Daily Dot. That appears to be the day after they gave Massachusetts General the green light to start notifying.

Alarming patients by telling them their data was hacked if it was only downloaded by a researcher who promptly notified the responsible party is somewhat misleading. Despite MGHDG’s statement, I’m still coding this incident as “exposure,” not “hacking.”

Here is Massachusetts General Hospital’s notification:

Massachusetts General Hospital (MGH) is deeply committed to the security and confidentiality of our patients’ information, including any such information maintained by our third-party vendors. Regrettably, this notice concerns an incident involving some of that information.

Patterson Dental Supply Inc. (PDSI) is a trusted third-party vendor that provides software that helps manage dental practice information for various providers, including MGH. On February 8, 2016, we learned that an unauthorized individual gained access to electronic files used on PDSI’s systems, which we later confirmed contained some MGH dental practice information. PDSI reported the incident to law enforcement. Thereafter, law enforcement investigators required that any notification to potentially affected individuals and any public announcement of the incident should be withheld while they were conducting their investigation. On May 26, 2016, law enforcement gave permission to notify, and we began notification as quickly as possible once we completed our investigation.

Based on our investigation, with the cooperation of PDSI, we determined that the files stored by PDSI included limited information related to some of our dental practice patients. That information included patient name, date of birth and Social Security number and, in some instances, may have also included date and type of dental appointment, dental provider name and medical record number. This incident did not involve any unauthorized access to any of MGH’s systems or to any files maintained by MGH.

We are committed to the security of sensitive information maintained by our third-party vendors and are taking this matter very seriously. To help prevent this type of incident from happening again, PDSI took steps to enhance the security of its systems that maintain dental practice data.

We regret any inconvenience caused by this incident. We began mailing letters to affected individuals Wednesday, June 29, 2016, and we have established a dedicated call center to answer any questions they may have. If you believe you may be affected and have not received a letter by July 14, or if you have additional questions, please call our dedicated assistance line at (877) 223-3764, Monday through Friday, 9 a.m. to 7 p.m. EST (closed on U.S. observed holidays) and provide reference number 5211062216 when calling.

Related posts:

  • Southwest Portland Dental notifies patients of Patterson Dental breach
  • Employee and patient files from Montgomery General Hospital leaked by ransomware group
  • 22,000 dental patients’ info exposed on unsecured Eaglesoft FTP server
  • Privacy Incident at Massachusetts General Hospital’s Neurology Department
Category: Commentaries and AnalysesExposureHealth DataOf NoteU.S.

Post navigation

← TheDarkOverlord names the Farmington victim and releases data
MN: Washington County security breach may affect Section 8 residents →

3 thoughts on “Massachusetts General Hospital Dental Group notifies patients of Patterson FTP server incident”

  1. Justin Shafer says:
    June 29, 2016 at 7:21 pm

    Wonder what maricopa county will say…..

    Dummies.

  2. Trent says:
    June 30, 2016 at 12:37 pm

    Patterson should not be given the luxury of a free pass on this one. They played fast and loose with the security of their clients database and the patient info within. Passing the buck claiming they were hacked is absolute horse puckey. They have caused irreparable harm to the researchers reputation and could have easily destroyed his business by falsely accusing him of hacking when they simply left data out in the open. Patterson didn’t get raided at gunpoint.

    1. Dissent says:
      June 30, 2016 at 12:53 pm

      I agree completely. I do not trust that HHS OCR will really investigate this like it should be investigated. Someone should probably file a formal complaint with HHS OCR that points them to other coverage and statements. I do want to see the Probable Cause affidavit when it’s available.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit
  • British national “IntelBroker” charged with causing $25 million in damages; U.S. seeks his extradition from France
  • France issues press statement about arrest of ShinyHunters members
  • Patients Allege Home Delivery Pharmacy Failed to Timely Notify Them of Data Breach
  • Hackers breach Norwegian dam, open valve at full capacity

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions
  • NY Attorney General James Affirms Hospitals Must Provide Access to Emergency Abortion Care
  • How Internet of Things devices affect your privacy – even when they’re not yours
  • Sky Views Personal Data as a Potential Weapon in IPTV Piracy War
  • Florida Used a Nationwide Surveillance Camera Network 250 Times To Aid in Immigration Arrests
  • Federal Court Strikes Down HIPAA Reproductive Health Care Privacy Rule

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.