Lanap and Implant Center patients never told that their Social Security numbers were – and are – still online for download?!

Sometimes it pays to keep Googling or re-checking with different search strings. Today, I managed to locate the text of what appears to be the The Lanap and Implant Center’s substitute (media) notice on the breach I’ve previously discussed here and here.

First, the text of the notice:

Public Notice or Legal Notice #: 4095248

Notification for Patients of The Lanap and Implan

Notification for Patients of The Lanap and Implant Center. Your privacy is important to us, and thats why we are notifying all of our patients of a breach of patient data on September 17, 2012. An unauthorized third-party was able to access our patient management software, and some of the data accessed may have included dates of birth and / or social security numbers. Since we value your business and privacy, we want to ensure that all patients are notified and can take appropriate measures to protect their information. Our office has implemented additional security measures to prevent a reoccurrence of this type of attack, and we are working with law enforcement to ensure the incident is properly addressed. We suggest you notify law enforcement if you detect any suspicious activity on any of your accounts, and you may also place a fraud alert on your credit report by contacting any of the three major credit bureaus. This alert informs creditors of possible fraudulent activity and notifies you if any accounts are established in your name. We are here to address any concerns you may have, and have set up a toll-free number to answer your questions you may have. To determine if your information was involved in the breach, call us at 570-704-5854.

Posting Date: 01/15/2013 State: Pennsylvania
Category: Miscellaneous County:

That notice raises additional questions for me. The date on the notice says January 15, 2013, but when was this notice first posted? Was it posted within the 60-day requirement of HITECH? The dental practice was informed on September 17, 2012 that they had experienced a breach. They should have notified patients by November 17, 2012, and indeed, a copy of the patient notification letter, shown in WNEP’s newscast (see the video), indicates that letters were mailed within that timeframe on or about November 1, 2012. But letters were reportedly mailed to only 5,000 of the 11,000 patients whose personal and protected health information was in the database, and so the timeliness of the substitute notice seems important.  I’ve seen HHS let entities slide on the 60-day window, but it’s concerning if the substitute notice wasn’t made much sooner than January in this case, given the seriousness of the breach and its ongoing nature.

But would patients even know from the substitute notice or the patient notification letter that this is an ongoing breach?  Were they ever even told that their information was exposed online? Did the practice’s notification and notice  provide accurate and sufficient detail to enable patients to assess their risk and make decisions about how to protect themselves? I’d have to  answer, “No.” Here’s why:

1. The notice indicates the breach occurred on September 17, 2012. But the breach actually occurred on or before February 17, 2010.  The notification letter mailed to patients correctly stated that the practice learned of the breach on September 17, 2012, but didn’t indicate when it actually occurred. Neither the notification letter nor the substitute notice, then, gave patients a fully accurate description of the incident in terms of when it happened and the fact that the patients’ information had been and still was in the wild on torrent sites since February 2010. The only way patients would know that, it seems, is if they watched Dave Bohman’s recent report on WNEP. They certainly didn’t hear it from Lanap & Impant Center’s notification letter or substitute notice.

From my perspective, that’s a major omission or failure in their notification. In fact, I think one could argue that it’s downright deceptive.

2. The notice states “An unauthorized third-party was able to access our patient management software, and some of the data accessed may have included dates of birth and / or social security numbers.” Putting aside for the moment my question as to whether this really was a hack, the practice knew – or had every reason to know – that this wasn’t a “may have” situation where dates of birth and/or SSN “may have” been accessed. Not only were the data acquired (not just accessed), but the data were shared publicly for anyone to download. Furthermore, the notice does not inform patients about all the other types of information about them that were involved in this breach such as their contact details, dental insurance, and prescriptions.

Again, I would view their statement as deceptive and depriving patients of information critical to their ability to protect themselves.

Overall, the notice creates a totally false impression that there was a hack or intrusion of their system on September 17, 2012 and that the incident was over and the practice was taking unspecified steps to prevent a recurrence. But that’s not what happened at all, and the incident is far from over with new mirrors of the patient database popping up even now.  If that had been made clear to patients – that their data had been and still are up on torrent sites (as opposed to them just imagining it sitting on some hacker’s computer), would they take greater precautions to protect themselves from identity theft? Would they sign up for a credit monitoring service? Would they demand that the dentist’s practice pay for credit monitoring services for them for the rest of their lives?

The more I learn about this breach and the incident response, the more convinced I am that both HHS and the FTC really should  thoroughly investigate this breach and the incident response.

Note that my criticisms and concerns have nothing to do with the professional skills of the dentists involved in the practice. They may be absolutely terrific. My questions and concerns are restricted solely to how this breach occurred and how it was handled because I think patients have been left at risk  of serious harm for the rest of their lives. I think this is one of the most worrisome breaches and one of the worst breach responses in the healthcare sector that I’ve ever reported on. And that’s saying something.

About the author: Dissent