Dental Care Alliance is notifying patients this week of a hacking incident that began on September 18, was discovered October 11, and contained on October 13.
Dental Care Alliance, LLC is based in Sarasota Florida, and describe themselves as a dental support organization. As they inform patients on their web site:
You won’t see the Dental Care Alliance name on any practice door, but more than 320 affiliated dental practices in 20 states are backed by our commitment to ensuring uncompromising dental care at costs you can afford. We’re Stronger Together…
From their template notification, a copy of which was obtained by DataBreaches.net, they report that the information that could have been subject to unauthorized access included:
name, address, dental diagnosis and treatment information, patient account number treating, billing information, dentist’s name, bank account number, and health insurance information. Only approximately 10% of the population had a bank account number potentially impacted.
With all that sensitive information involved, you might think that the practice would offer remediation services to the 1,004,304 people affected but they do not seem to have made any such offer — at least not to residents of Maine.
DataBreaches.net emailed DCA to get clarification as to why there was no offer of mitigation services. The email also asked other questions, including whether this was a ransomware incident. Dave Quigley, General Counsel for DCA did not answer all questions put to him, but did respond:
Thank you for your inquiry. DCA has notified impacted individuals and all relevant regulatory bodies of this matter. We have seen no specific evidence that personal information was used for malicious purposes. We will continue to do all that is necessary and appropriate to support and inform impacted individuals in the days ahead.
And for those who are wondering: no, DCA does not seem to have any affiliated practices in California, so CCPA doesn’t seem to come into play here. But can a lawsuit be far behind with all those data types involved?
I received a notification letter and called the number provided. It was to a call center and the letter was essentially read back to me. You are correct in the types of data harvested and the seemingly cavalier attitude by DCA. Me not happy at all…