There’s a somewhat interesting follow-up to a situation DataBreaches.net first reported in February. Back then, DataBreaches.net had reported that 22,000 patients from several health care providers had their PHI exposed on an FTP server that Patterson Dental used to provide support documentation for its Eaglesoft software. That report was based on information and screenshots provided by dental technician/researcher Justin Shafer. Shafer had notified Patterson after discovering the exposed patient data while this site notified one of the affected Patterson clients, Massachusetts General Hospital Dental Group. MGH subsequently notified HHS and their patients.
Shafer also blogged about his findings in February, and, unrelated to the exposed files, publicly criticized the security of the Eaglesoft product. As he had done with Henry Schein Dental’s Dentrix software, Shafer also contacted CERT and filed a vulnerability report about their use of hardcoded database credentials – a vulnerability report that Patterson Dental does not seem to have responded to even six months later.
In May – between this site’s reporting, Shafer’s reporting and vulnerabity report to CERT, and MGH’s notification to patients – the FBI raided Shafer. It appeared, but Patterson Dental never stated publicly, that Patterson may have accused Shafer of hacking their anonymous public FTP server. Attempting to portray Shafer as a hacker struck this blogger as trying to shoot the messenger or trying to cover up their security failure, as this site had confirmed that the files were both publicly accessible with no login required, and that they had been indexed by search engines.
In any event, as a result of Shafer’s information and having confirmed that no login was required to access the files, DataBreaches.net categorized the incident as a human error “insider” breach that resulted in exposure of PHI. This site continues to view it as an error on Patterson’s part unless or until it sees some evidence to the contrary.
Fast forward to yesterday, when I discovered a breach notification letter dated August 20, 2016. It was submitted to the Oregon Attorney General’s Office by Howard R. Jarvis, D.M.D., L.L.C. dba Southwest Portland Dental.
Read the first parts of their notification and I’ll meet you on the other side:
Southwest Portland Dental (SPD) is deeply committed to the security and confidentiality of our patients’ information, including any such information maintained by our third-party vendors. Regrettably, we are writing to inform you of an incident involving some of that information. We believe we have taken every step necessary to address this incident and prevent future incidents. Please read the following for more information.
I. What Happened
Patterson Dental Supply Inc. (PDSI) is a trusted third-party vendor that provides software to dentists to help manage dental practice information. On July 1, 2016, we determined that between April 2012 and January 2016 one or more unauthorized individuals gained access to a network resource site used by SPD and PDSI in 2010 to exchange data between software systems.
II. What Information Was Involved
The software provided by PDSI to dentists was not, nor were any networks or systems maintained by SPD, involved in this incident. However, we have confirmed that the affected site used to make the 2010 data transfer included electronic files containing SPD dental practice information. Based on our investigation, with the cooperation of PDSI, we determined that the files located on the site included limited information related to some of our patients, possibly including you. The information contained data fields and scattered information within a file such that a person who obtained access to this information would need to take further action to be able to assemble a record about any particular patient. However, because of our knowledge and experiences with the file, we can confirm that, if successfully manipulated, the information involved included patient names, dates of birth, and Social Security numbers. We have no information suggesting that any of the unauthorized individuals successfully assembled a record about any particular patient nor do we have any evidence suggesting that any person intends to use any of this information for malicious purposes.
III. What We Are Doing
PDSI reported the unauthorized access to law enforcement and acted immediately to restrict any further external access to the site. PDSI also hired outside experts to help determine what occurred and to evaluate the risk of harm posed by this event. Law enforcement investigators required that PDSI and SPD delay any public announcement or notification to potentially affected individuals while they were conducting their investigation. On May 26, 2016, law enforcement gave PDSI permission to notify. SPD began this notification as quickly as possible once SPD had completed its own independent investigation.
In light of the new information provided in that notification letter, DataBreaches.net sent an inquiry to Patterson Dental with some questions, but has not received any reply by the time of this publication. I’m going to outline the questions and issues I see here:
- MGH’s notification letter did not indicate when access to their patient data may have first occurred, whereas SPD claims the earliest access to its patients’ data was in April 2012. If there were access logs that showed access in 2012, how is it that Patterson Dental failed to detect allegedly unauthorized access before 2016? Did they maintain adequate logs and audit them as they should have under HIPAA’s technical safeguards?
- Why was a resource that reportedly hadn’t been used since 2010 accessible at all any more? When was the last time Patterson Dental or SPD reviewed the security of that resource? Did SPD even know their patients’ information was still available online? Should Patterson have removed it, and if so, why hadn’t they?
- SPD was not one of the entities whose patient data was exposed in the file Shafer had downloaded and that this site had reported on in February. When asked about that, Shafer confirmed that SPD was not one of the entities whose data he had obtained by downloading the unsecured file. So was there more than one directory or file exposed on the FTP server that contained unencrypted patient data? How many other clinical practices had inadequately secured patient data on this FTP server?
- How many IP addresses accessed files with unencrypted PHI?
If Patterson provides answers to any of the questions, this post will be updated.
I hope HHS actually investigates and audits access logs and technical safeguards for that FTP server as they were at the time Shafer downloaded that file. There is no closing note on the Massachusetts General Hospital entry on HHS’s public breach tool as of today.
Then, too, maybe the FTC should investigate Patterson Dental. Did the exposure of patient information cause substantial harm to consumers that they could not avoid, and if so, was there “unreasonable security” on Patterson’s part that was the cause of actual or likely substantial harm? And what about the firm’s seeming failure to timely respond to the vulnerability reported to CERT? The vulnerability would appear to put patients at risk of substantial injury that they cannot reasonably avoid. As CERT notes:
An attacker with knowledge of the hard-coded credentials and with network access to the database may be able to obtain sensitive patient information.
CERT could not offer a solution to the problem, but did offer some mitigation strategies. Do those using the vulnerable version(s) of Eaglesoft know the risks, though, so that they may take the mitigation advice? Has Patterson Dental advised its Eaglesoft clients of the risk? And why haven’t they come up with a solution to the problem or provided some statement to CERT as to their progress in addressing the security vulnerability? DataBreaches.net understands that newer versions of the software may not have this issue, but how many dental practices are still using a vulnerable version, and how many patients could be at risk? Is this an “unfair” practice under the FTC Act?