The following is not your typical breach notification. It relates to a situation in which a business associate allegedly refuses to return the patient database despite its EULA and HIPAA obligation. The press release does not indicate whether the covered entity, Key Dental Group, is suing its former vendor to recover the database. Nor does it indicate how many patients have data in the database in question. DataBreaches.net has sent inquiries both to Key Dental Group and to the vendor, MOGO, to ask for more information and in MOGO’s case, their response to Key Dental Group’s allegations, but has received no replies as yet.
At first blush, the allegations and situation described below is reminiscent of a controversy between Texas and Xerox that I had reported on in 2014. This post will be updated if and when DataBreaches.net receives any replies to inquiries.
On October 19, 2018 Key Dental Group, PA (Pembroke Pines, FL) received notification from its former electronic medical record vendor MOGO (414 Plaza Drive, Suite 200 Westmont, IL 60559 www.mogo.com) that MOGO would not be returning Key Dental Group PA’s electronic medical record (EMR) database as required at the termination of the end user license agreement (EULA) between the two companies. MOGO’s decision appears to violate both the EULA it had in place with Key Dental Group, PA and also various portions of the Health Insurance Portability and Accountability Act (https://www.hhs.gov/hipaa/for-professionals/faq/2074/may-a-business-associate-of-a-hipaa-covered-entity-block-or-terminate-access/index.html).
As a result of MOGO’s decision which was conveyed in a letter from MOGO’s attorney on October 19, 2018, Key Dental Group can no longer access or monitor the KDG-MOGO database to ensure that unauthorized parties do not gain access to the database and the potential information contained within it including: name, address, date of birth, medical history, diagnosis/conditions, lab/test results, treatment information, medications, health insurance information, and/or claims information. In addition, if patients receive Medicare, their Medicare ID which is also their Social Security number could be subject to unauthorized access. While Key Dental Group cannot definitively say that unauthorized access has or will occur to this database, given the apparent violations of various portions of HIPAA triggered by MOGO’s actions and the sensitivity of the information the database contains, Key Dental Group, PA is publicly notifying its patients at this time of this incident.
Key Dental Group, PA encourages potentially impacted individuals to remain vigilant against incidents of identity theft and fraud, to review account statements, and to monitor their credit reports and explanation of benefits forms for suspicious activity. Key Dental Group, PA is providing potentially impacted individuals with contact information for the three major credit reporting agencies, as well as providing advice on how to obtain free credit reports and how to place fraud alerts and security freezes on their credit files. The relevant contact information is below:
Potentially impacted individuals may also find information regarding identity theft, fraud alerts, security freezes and the steps they may take to protect their information by contacting the credit bureaus, and the Federal Trade Commission. The Federal Trade Commission can be reached at: 600 Pennsylvania Avenue NW, Washington, DC 20580; www.identitytheft.gov; 1-877-ID-THEFT (1-877-438-4338); and TTY: 1-866-653-4261.
Key Dental Group, PA has set up a call center to answer questions from those who might be impacted by this incident. Anyone with additional questions about the incident may contact the call center at 1-844-884-9771 (toll-free), Monday through Saturday, 9:00 a.m. to 9:00 p.m. EDT.
Key Dental Group, PA values patients’ privacy and security and deeply regrets any concern or inconvenience this incident may cause.
SOURCE Key Dental Group, PA. Via PR Newswire.
Update 1 (November 23): Key Dental did go to court against MOGO, seeking emergency injunctive relief. I’ll have more on this story next week as Dr. Heinicke has contacted me to discuss the matter.