In 2013, I reported on a patient data breach involving LANAP & Implant Center. I followed up on the breach because although 11,000 patients had their unencrypted personal information uploaded to PirateBay, Dr. DiGiallorenzo had seemingly not notified all patients that their information had been compromised and remained at risk of download by criminals on PirateBay.
For previous coverage of this incident, search for “LANAP & Implant” and “DiGiallorenzo” on this site.
As a result of my inquiries and contacting HHS to alert them that the report they had received from the covered entity appeared to be inaccurate, HHS updated/corrected its entry on the public breach tool. It seems, however, that even though the party who uploaded the files to PirateBay stated that he found a flash drive with the data in the street, OCR accepted the entity’s claim that they were hacked. In closing out their investigation, OCR summarized the incident this way:
An individual hacked into the Dentrix software of the covered entity (CE), Lanap & Implant Center of Pennsylvania (David DiGiallorenzo), and posted patients’ protected health information (PHI) on a “BitTorrent” website (which distributes files over the Internet), piratebay.com. The breach involved the PHI of 11,000 individuals and included names, as well as dates of birth and social security numbers for some of the individuals. The CE provided breach notification to HHS, affected individuals whose PHI was compromised, and the media, as well as substitute notification. Following the breach, the CE received security updates from Dentrix. As a result of OCR’s investigation, the CE increased safeguards by implementing security measures on its electronic systems.
I hope the notification to patients made clear to them that their SSN and details remain available for download by anyone and everyone. Although OCR summarizes the leak as, “Social security numbers for some of the individuals,” my inspection of the leaked database and Lee J.’s independent analysis both found over 8,000 patients had their SSN exposed on PirateBay. If I were one of the affected patients, I’d seriously consider a security credit freeze over the long-term.