California dentist notifies patients of backup drive stolen from car

Why are we still reading reports of devices with unencrypted patient information being stolen from providers’ unattended vehicles? This is the second report this month I’ve read like this. And while it’s one thing to inform patients that you believe the device was stolen for commercial value and not contents, does this letter go too far in downplaying the risk to patients? 

John E. Gonzalez DDS is notifying an unspecified number of patients that on July 25, 2016, his briefcase was stolen from his car in a smash-and-grab.

“In that briefcase,” Dr. Gonzalez writes, “was an external hard drive containing two different types of data. First, all office patient records were backed up on the drive, including social security numbers, driver’s license numbers, phone numbers, date of birth, physical and email addresses and health insurance information.” No complete credit card information or bank account information was stored on this drive (only the last four digits of the most recent card used is stored), he reports.

Now here’s the part that may make some readers apoplectic. He writes:

However, the risk of accessibility is extremely low because the data in its format is un-readable. In consulting with my dental software experts, they assure me it would be incredibly difficult and unlikely for anyone to access your records. However, since the data is not encrypted, I am required by law to notify you.

Anyone remember Lee J. analyzing data from a Dentrix database that had been uploaded to PirateBay? It may be time-consuming, as the dentist claims, but Lee showed what he could determine.  Such databases are often not really “unreadable” as much as inconvenient to read.

Although Dr. Gonzalez did not respond to my inquiry as to which software he was using, Justin Shafer reviewed his site and informs DataBreaches.net that Dr. Gonzalez appears to be using Practice-Web. Shafer, who has a lot of experience evaluating the security of different dental software platforms, informs DataBreaches.net that

By default, Practice-Web uses “root” as the mysql user and a blank password. If I stole a database out of a trunk, and told any MySQL Database to use it, it would work, and you wouldn’t need to know the password.  Even if they set a password to root, it wouldn’t matter.

[Backend] usernames and passwords on one mysql database server don’t have to carry over to another. A 6th grade kid could just download mysql, setup his own server, and drop in the freedental database into his own mysql installation. That would be the proper way to read this data. He could try to use the actual mysql AND freedental databases he found in the vehicle, and then authenticate with root and a blank password, OR he could just use FreeDental by itself, and have control over his own usernames and password. The third option is: Resetting the password for a mysql database.. for the root\admin user.. But.. once again, why make life harder then it needs to be?

Shafer’s statement makes it sound that extracting and reading the data would be relatively easy, an opinion he reiterated in another comment to this site:

Extracting data from a Practice-Web database could easily be done by anyone. MySQL is a free database server, and arguably the most common database in the entire world. There are countless websites devoted to administering a MySQL Database. They could bring the data to a sixth grader with a decent understanding of computers and get access. All one would need to do is drop in the Freedental folder into the MySQL data folder, restart the server, and access the data, without knowing any password or key in the actual database itself, sort of like restoring a database from a backup.

So who, exactly, reassured Dr. Gonzalez that this would be extremely difficult to do or read, and should Dr. Gonzalez have advised his patients as he did of the risks?

Some identifiable patient images were also on the stolen drive:

Secondly, pictures of patient cases (teeth only, no faces) that included patient first and last names and phone numbers were saved on the drive. These files of pictures are stored in jpeg format and can be opened easily.

Dr. Gonzalez did not offer affected patients any credit monitoring services at his expense. I wonder if he had consulted with Shafer if he would have reached a different decision on that, because later in the notification letter, he reiterated:

Again, after numerous consultations with the dental software company, I am convinced the risk of any unauthorized person being able to access the medical records information (which is listed above) is incredibly low as the software is HIPPA (sic) compliant.

Well, although software can help you achieve compliance with HIPAA, Practice-Web has no stamp of HIPAA compliance from HHS (not that any other software does, either).

Dr. Gonzalez indicates some of the steps he has taken in response to the incident:

We have placed other safeguards with that company which require PIN and caller ID verification to prevent any access to this data by an unauthorized party. All data of patient records is in unreadable format; it cannot be opened without extreme effort, costly purchases, and expert guidance.

But as Shafer notes, that wouldn’t help if the database is already acquired and you have a 6th grader for “expert guidance.”

Although the letter is not dated, the metadata on the file has an August 14th creation date.

The incident is not (yet) up on HHS’s public breach tool, but this post will be updated as more information becomes available.

Update: This subsequently appeared on HHS’s public breach tool as impacting 1,025 patients.

About the author: Dissent