DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Update on Dyras Dental ransomware attack

Posted on December 4, 2020 by Dissent

On September 24, DataBreaches.net contacted Dyras Dental in Lansing, Michigan to ask about Egregor threat actors’ claim that they had attacked them and exfiltrated data. Dyras Dental did not respond to that contact or to my subsequent DM to them on Twitter.

On October 5, not seeing anything on Dyras Dental’s web site or Twitter account to alert patients, and having viewed files with PII and PHI that Egregor had already dumped on their clearnet and dark web leak sites, DataBreaches.net reached out to Dyras Dental again. Again, they didn’t respond at all.

On November 9, DataBreaches.net wrote an opinion piece arguing that patients needed to be notified of ransomware attacks much sooner than they had been to date. In  a companion file, “Without Undue Delay,” DataBreaches.net noted that Egregor ransomware threat actors had added Dyras Dental in Michigan to their leak site in September.  As I reported in that paper:

The data dumped by the attackers as initial proof contained more than 100 files, almost all of which dealt with financial aspects such as insurance billings with patient protected health information, employees’ W-2 statements, and voice mail recordings containing patient-related information.  Dyras still has not responded to  inquiries sent to it in September and October and there is still no statement to be found on their web site.

On re-check yesterday, DataBreaches.net found that there was still no notification on the practice’s web site, nor any press release or media notice that I could find. Nor was there anything on HHS’s public breach tool. But there were two developments:

First: the Egregor threat actors had dumped what appeared to be all of the data they had exfiltrated from Dyras Dental — when decrypted, it came to almost10 GB of files that included employee data, patient data, and business records including accounts information. Many of the files appear to be from the practice’s Dentrix system.

TrickBot.DC!MTB was found in the FINANCE directory.

Second: At some point after my October attempt to contact them via DM, @DyrasDentalPLLC blocked DataBreaches.net’s account on Twitter (@PogoWasRight). This, of course, was an utterly brilliant incident response on their part because we know that stonewalling journalists and privacy advocates always makes the problems go away.

It is now more than 70 days since DataBreaches.net first became aware of this incident and reached out to Dyras. Have they notified any patients that their protected health information is freely available both on clearnet and on the dark web? Have they notified HHS?

Perhaps they have notified both. But in an abundance of caution (see how cleverly I worked that in?), DataBreaches.net has referred the matter to HHS with a request that they investigate to determine if Dyras Dental has notified patients about this incident and/or what steps they have taken.

Lest it sound like a grudge referral, it is not.  Dyras Dental is not the only entity that this site has reported to HHS because there was no public notification after more than 60 days. HHS is currently investigating other complaints this site has submitted of this type and this site will be submitting a number more.

It is not that this site is unsympathetic to the impact of ransomware attacks on victims. But when an entity knows that data are already being dumped, they should not be taking 60 days or longer to start to warn people to take steps to protect themselves.

Update of March 22, 2021:  Today, the Dyras Dental incident was added to HHS’s public breach tool as impacting 2,745 patients. A notification was also posted on the covered entity’s site. It begins:

Dyras Dental recently discovered unauthorized access to its network occurred between approximately September 14, 2020 and September 24, 2020.

“Recently discovered?” They were contacted in September with proof of unauthorized access. And contacted multiple times thereafter to inquire about the exposed data.

And although they offer those affected complimentary services, their web site notice does not actually tell people that their PII and PHI were actually dumped on the dark web and clear net for anyone and everyone to download.  DataBreaches.net continues to believe that patients should be notified when the entity knows that data has been dumped or made publicly available.

Eventually, HHS will send this site a closing letter about the complaint that this site had filed about Dyras’s lack of timely notification.  That letter may make it clearer whether Dyras’ notification or post-incident steps were in any way impacted by the complaint or if they were totally unrelated.

 

 

Category: Breach IncidentsHealth DataMalware

Post navigation

← Twitter data breach decision due on December 17: Irish data regulator
IT: Radio Azzurra hit by cyberattack, ransom demand →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Fraudsters, murderers, students: who the GRU assembled a team of hacker provocateurs from and why it failed
  • Order of Psychologists of Lombardy fined 30,000 € for inadequate data security protection and detection following ransomware attack
  • Lower Merion School District says a data breach was caused by a computer glitch
  • After $1 Million Ransom Demand, Virgin Islands Lottery Restores Operations Without Paying Hackers
  • Junior Defence Contractor Arrested For Leaking Indian Naval Secrets To Suspected Pakistani Spies
  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • Class action settlement following ransomware attack will cost Fred Hutchinson Cancer Center about $52 million
  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges
  • Australian ransomware victims now must tell the government if they pay up

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent
  • Trump Taps Palantir to Compile Data on Americans

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.