White and Bright Family Dental in Fresno is notifying patients of a recent hack. In a letter dated February 16 to patients, they write:
On January 30, 2018, a business computer server containing your protected health information was accessed by cyber criminals. We immediately notified the Fresno Police Department, so that identification and prosecution of those involved could begin. A police report has been prepared on this incident; the report number is 18300943.
What Information was Involved?
The business computer server that was accessed without authorization contained specific personal information such as patient name, address, telephone number, social security number, date of birth, driver license number, insurance information, and dental history.
What We Are Doing:
We believe that this information was accessed, but do not have knowledge regarding if information was copied or stolen, and we do not know the intent of the cyber criminals with respect to the data accessed. This incident is currently under review by our practice, and in response we have heightened our security measures to prevent a future recurrence. In accordance with our policies and procedures, please be assured that all necessary actions are being taken including notification of government agencies as required, including the active and ongoing investigation by the Fresno Police Department referenced above.
What You Can Do:
As always, we recommend that you review your health statements for accuracy and let us know if something does not look right. Review statements from your financial institutions and the businesses you frequent, to ensure that inaccuracies are detected and immediately reported. The police report number listed above may be required to clear you of any fraudulently detected charges that may occur.
For your protection, you may want to contact one of the national credit reporting agencies to place a fraud alert in your file and to receive a free copy of your credit report. We are informed that the agency you contact will notify the other two agencies.
Here are the names of the credit reporting agencies and their contact information:
Equifax 1-800-525-6285; www.equifax.com
Experian 1-888-397-3742; www.experian.com
TransUnion 1-800-680-7289; www.transunion.comFor More Information:
Our practice respects your right to file a complaint. If you have any questions, concerns or wish to file a complaint with us, please contact us at (559) 432-9988.
You also have the right to contact the Department of Health and Human Services through the Office for Civil Rights regarding a health information privacy complaint at 1-800-368-1019.
On behalf of our practice, we offer our sincerest apology that this unfortunate incident occurred. We assure you that safeguarding your information is always one of our highest priorities.
Sincerely,
_________________________ Salih M. Mayalidag, D.D.S.
On a positive note, they seem to have detected the intrusion promptly and began incident response quickly. Good for them!
Their notification does not indicate how many patients were notified, but I expect we’ll see this on HHS’s breach tool at some point.
I always wonder about the specifics… everytime. Dentrix, Eaglesoft or Open Dental? How did the attackers get inside the network, or was it outside? Very few dental offices can tell if someone gains access to a dental office database unless the attackers made themselves.. known. Did they use an office exploit? Did someone find their mouse moving when it shouldn’t of been? The list goes on and on and on…
I always wonder the same thing, and not just about dental offices. 🙂