In December, DataBreaches reported that the Indiana Attorney General’s Office had brought charges against Westend Dental for a number of HIPAA violations. The state had started investigating the dental practice after a patient complained about them not providing a copy of their records in response to a request. In looking into that complaint, the state discovered evidence of a ransomware attack that had never been disclosed honestly to the state, nor timely. When questioned about the 2020 ransomware attack involving Medusa Locker, the dental practice repeatedly denied that their had been a ransomware attack. And they kept denying it until a witness admitted during a sworn statement in January 2023 that a ransomware incident had occurred.
A consent order, which had not yet been approved by the court at the time of that reporting, called for Westend Dental to pay $350,000 as a monetary penalty, to notify everyone affected, and to comply with HIPAA, the Indiana Disclosure of Security Breach Act (DSBA), and other requirements. Read more about the state’s case and the terms of the consent order.
The consent order was approved by Judge Matthew Brookman on January 2, 2025, and it appears Westend Dental has begin fulfilling its compliance obligations.
They have reportedly issued a press release and they have posted a notice on its website. The website notice begins:
Notice of Data Security Incident
Westend Dental is committed to protecting the privacy and security of our patients’ personal information and personal health information. Unfortunately, we are writing to inform you about a data security incident that may have affected some of that information.
What Happened
On or about Oct 20, 2020, Arlington Westend Dental LLC, located at 5900 E 10th St. in Indianapolis, experienced a ransomware attack that encrypted our data and temporarily disrupted our systems. To attempt to solve the disruption, Westend Dental’s IT contractor at the time formatted a drive on our system, but was unable to recover data from internal backups. As such, no subsequent forensic investigation could be completed of the incident. Partial data was recovered from our software providers.
What Information Was Involved
We believe that the affected data may include information such as: Appointment details; Biometric information; Contact information; Insurance information and coverage breakdowns; Account information, such as payments made and due payments; Treatment plans; Dental charts and notes from previous appointments; Images, including scanned copies of New Patient forms; insurance verifications and preauthorization letters; and X-rays. At this time, there is no evidence to suggest that this information has been used for fraudulent purposes.
What We Are Doing
We take the protection of your personal information seriously and deeply regret any inconvenience or concern this may cause. As a result of this incident and in an effort to prevent any such incident in the future, we have overhauled our IT infrastructure at both software and hardware level. This includes additional layers of security, enhanced firewall and encryption protocols, device monitoring regime, and increased employee trainings.
Their full substitute notice can be accessed on their site.
Westend Dental does not mention any wrongdoing such as lying to the state when the state started to investigate things, and the consent order had allowed them not to admit any wrongdoing. Nor do they explain why there was more than a four year delay in notifying individuals. But I wonder how they will answer questions about those issues if any of their patients questions them.
The website notice does not state that patients are being mailed individual notifications, but paragraph 45 of the consent order does require them to send notification letters to everyone who was a patient of Westend in November 2023 to notify them of the October 2020 incident.
There are still some things that we — and patients — do not know. The website notice makes no mention of whether the data were ever leaked on the dark web. Did the threat actor ever leak the data? DataBreaches does not know, but the entity says there is no evidence that the data had been used for fraudulent purposes.
We also don’t know how many patients are being notified. The incident still does not appear on HHS’s public breach tool as of publication. Did Westend ever report it to HHS but it is just sitting on an investigator’s desk somewhere being worked on or has it still not been reported to HHS as required by HIPAA?
This post was edited post-publication to reflect that it was Medusa Locker that was used to encrypt files. A previous version indicated that it was the Medusa ransomware gang. Thanks to @JayeLTee for catching my error.