DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

What is the cost of not purging data or moving it offline, Sunday edition

Posted on March 19, 2023 by Dissent

Maybe one day, a law or regulation will require entities to purge old data that is no longer needed or requires it to be disconnected from the internet. If anyone needs a fresh example of why we need that type of law or regulation, here it is:

Richard T. Miller, DMD, PC, d/b/a Great Neck/Mid Island Dental (“Great Neck Dental”)  acquired the assets of another dental practice back in 2015. The law firm of Cooperman Lester Miller Carus LLP (“CLMC”) was hired to assist with the transaction and was provided with certain patient information.

Fast forward seven years.

On October 7, 2022, CLMC notified Great Neck Dental that it had learned that one of its partners had an email account compromised between March 27 and June 1, 2022. When CLMC reviewed the compromised account, they found patient data from Great Neck Dental that could have been accessed. Information in the partner’s email account included patients’ names, dates of birth, Social Security numbers, and dental insurance information.

Great Neck Dental is not aware of any misuse of the information. Still, it now has the obligation under HIPAA to notify 22,933 patients, many of whom may no longer be at the addresses they were at in 2015 and many of whom may never have become their patients when Great Neck Dental purchased the assets of the other practice.

In addition to the costs of investigating and notifying patients, Great Neck Dental also has the cost of offering them credit monitoring and identity restoration services for a year with IDX. DataBreaches does not know whether Great Neck Dental has any insurance policy that will cover all the costs, or if the law firm is covering costs, or some combination, but a lot of time and costs have been incurred over an easily avoided breach.

Why was protected health information from that 2015 business transaction still sitting in an email account of an unnamed law firm partner?

What security provisions did the law firm have in place with its partner, and when was the last time any of it was reviewed?

It was probably a bit of a shock to Great Neck Dental to be told that patient data from seven years previously was involved in a data breach at a firm they may never have heard of and that they may have never contracted with directly.

There are lessons to be learned or re-learned:

  • Purge old data that is no longer needed for the purpose for which it was originally collected and stored. If you’re not sure you should or can purge it, then at least encrypt it and move it offline; and
  • If you are the covered entity or firm contracting with a vendor, make sure you have provisions in your contract detailing should happen to protected health information at the conclusion of any services. Then monitor to make sure those provisions are followed.

 

Category: Breach IncidentsBusiness SectorHackHealth DataHIPAASubcontractor

Post navigation

← MONTI ransomware gang leaks Donut Leaks (UPDATED)
Au: Skin cancer survey hack may have ‘compromised’ personal details, Medicare numbers of participants →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon
  • US govt login portal could be one cyberattack away from collapse, say auditors
  • Two Men Sentenced to Prison for Aggravated Identity Theft and Computer Hacking Crimes
  • 100,000 UK taxpayer accounts hit in £47m phishing attack on HMRC
  • CISA Alert: Updated Guidance on Play Ransomware

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant
  • US State Dept. says silence or anonymity on social media is suspicious

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.