DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

What is the cost of not purging data or moving it offline, Sunday edition

Posted on March 19, 2023 by Dissent

Maybe one day, a law or regulation will require entities to purge old data that is no longer needed or requires it to be disconnected from the internet. If anyone needs a fresh example of why we need that type of law or regulation, here it is:

Richard T. Miller, DMD, PC, d/b/a Great Neck/Mid Island Dental (“Great Neck Dental”)  acquired the assets of another dental practice back in 2015. The law firm of Cooperman Lester Miller Carus LLP (“CLMC”) was hired to assist with the transaction and was provided with certain patient information.

Fast forward seven years.

On October 7, 2022, CLMC notified Great Neck Dental that it had learned that one of its partners had an email account compromised between March 27 and June 1, 2022. When CLMC reviewed the compromised account, they found patient data from Great Neck Dental that could have been accessed. Information in the partner’s email account included patients’ names, dates of birth, Social Security numbers, and dental insurance information.

Great Neck Dental is not aware of any misuse of the information. Still, it now has the obligation under HIPAA to notify 22,933 patients, many of whom may no longer be at the addresses they were at in 2015 and many of whom may never have become their patients when Great Neck Dental purchased the assets of the other practice.

In addition to the costs of investigating and notifying patients, Great Neck Dental also has the cost of offering them credit monitoring and identity restoration services for a year with IDX. DataBreaches does not know whether Great Neck Dental has any insurance policy that will cover all the costs, or if the law firm is covering costs, or some combination, but a lot of time and costs have been incurred over an easily avoided breach.

Why was protected health information from that 2015 business transaction still sitting in an email account of an unnamed law firm partner?

What security provisions did the law firm have in place with its partner, and when was the last time any of it was reviewed?

It was probably a bit of a shock to Great Neck Dental to be told that patient data from seven years previously was involved in a data breach at a firm they may never have heard of and that they may have never contracted with directly.

There are lessons to be learned or re-learned:

  • Purge old data that is no longer needed for the purpose for which it was originally collected and stored. If you’re not sure you should or can purge it, then at least encrypt it and move it offline; and
  • If you are the covered entity or firm contracting with a vendor, make sure you have provisions in your contract detailing should happen to protected health information at the conclusion of any services. Then monitor to make sure those provisions are followed.

 

Related posts:

  • MN: Delta Dental Disk with The Smile Center Patient Data on It Stolen Months Ago; No One Notified Patients?! (update1)
  • Dental Center of Northwest Ohio’s notifies patients after IT vendor Arakÿta experiences ransomware incident
  • Jones Family Dental Notice Of Data Event
  • MN: Delta Dental Disk with The Smile Center Patient Data on It Stolen Months Ago; No One Notified Patients?! (update1)
Category: Breach IncidentsBusiness SectorHackHealth DataHIPAASubcontractor

Post navigation

← MONTI ransomware gang leaks Donut Leaks (UPDATED)
Au: Skin cancer survey hack may have ‘compromised’ personal details, Medicare numbers of participants →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit
  • British national “IntelBroker” charged with causing $25 million in damages; U.S. seeks his extradition from France
  • France issues press statement about arrest of ShinyHunters members
  • Patients Allege Home Delivery Pharmacy Failed to Timely Notify Them of Data Breach

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions
  • NY Attorney General James Affirms Hospitals Must Provide Access to Emergency Abortion Care
  • How Internet of Things devices affect your privacy – even when they’re not yours

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.