Back in February, this site reported that a Patterson Dental anonymous FTP server was leaking patient data, according to a security researcher who had discovered the problem and reported it to them and then this site. One of the entities, the Massachusetts General Hospital Dental Group, had patient data caught up in that leak, and was notified of that by DataBreaches.net.
Since then, I’ve wondered why I didn’t see the incident on HHS’s breach tool or any public notice.
Today, they issued their notice. It’s somewhat concerning because it seems that Patterson Dental may still be claiming they were hacked instead of acknowledging that there was no security on those files that prevented anyone from downloading them. I do not believe the researcher “hacked” them. I believe they failed to secure their files and he just went ahead and downloaded them while downloading other files from their server – a server that had been created to provide support documentation for their product.. If what the researcher did is a violation of the federal hacking statute, CFAA, then all of us are at risk every time we download a file because maybe, unbeknownst to us, the entity didn’t intend to make that particular file available.
The researcher was raided by the FBI on May 27, as I reported on the Daily Dot. That appears to be the day after they gave Massachusetts General the green light to start notifying.
Alarming patients by telling them their data was hacked if it was only downloaded by a researcher who promptly notified the responsible party is somewhat misleading. Despite MGHDG’s statement, I’m still coding this incident as “exposure,” not “hacking.”
Here is Massachusetts General Hospital’s notification:
Massachusetts General Hospital (MGH) is deeply committed to the security and confidentiality of our patients’ information, including any such information maintained by our third-party vendors. Regrettably, this notice concerns an incident involving some of that information.
Patterson Dental Supply Inc. (PDSI) is a trusted third-party vendor that provides software that helps manage dental practice information for various providers, including MGH. On February 8, 2016, we learned that an unauthorized individual gained access to electronic files used on PDSI’s systems, which we later confirmed contained some MGH dental practice information. PDSI reported the incident to law enforcement. Thereafter, law enforcement investigators required that any notification to potentially affected individuals and any public announcement of the incident should be withheld while they were conducting their investigation. On May 26, 2016, law enforcement gave permission to notify, and we began notification as quickly as possible once we completed our investigation.
Based on our investigation, with the cooperation of PDSI, we determined that the files stored by PDSI included limited information related to some of our dental practice patients. That information included patient name, date of birth and Social Security number and, in some instances, may have also included date and type of dental appointment, dental provider name and medical record number. This incident did not involve any unauthorized access to any of MGH’s systems or to any files maintained by MGH.
We are committed to the security of sensitive information maintained by our third-party vendors and are taking this matter very seriously. To help prevent this type of incident from happening again, PDSI took steps to enhance the security of its systems that maintain dental practice data.
We regret any inconvenience caused by this incident. We began mailing letters to affected individuals Wednesday, June 29, 2016, and we have established a dedicated call center to answer any questions they may have. If you believe you may be affected and have not received a letter by July 14, or if you have additional questions, please call our dedicated assistance line at (877) 223-3764, Monday through Friday, 9 a.m. to 7 p.m. EST (closed on U.S. observed holidays) and provide reference number 5211062216 when calling.