On January 22, Robert Smith, DMD, PC in Tennessee reported a breach to HHS. The report indicated that 1,500 patients were impacted by a hacking/IT incident involving their network.
A Google search indicated that the practice was likely to be “Smith Dental” in Tennessee. But I could find no press release or statement on their site that explained more about what happened. On February 5, I sent them an inquiry via their site contact form asking them for more details, but received no response.
Today, I see that they posted something on their web site. I’m not sure when it was first uploaded, although if it was there on February 5 when I wrote to them, I must have just missed it. In any event, if you scroll down to the bottom of the About section, you can find it:
Smith Dental’s internal computer servers were the target of a ransomware attack in November, 2017. While we have not seen evidence that any protected health information was accessed, copied or distributed, it is possible that some clinical, demographic, and financial information was compromised. We have added additional levels of both physical and technical safeguards to protect against future incidents, and are confident that any similar attack would be thwarted going forward.
They’re confident? I wonder if most infosecurity professionals would suggest anyone feel confident these days.
But also disturbingly, the web site notice says:
Patients might consider taking steps to secure their credit profile, or to enroll in commercial credit monitoring services to guard against such breaches.
Patients are invited to call 877-480-0566 with any questions related to this incident.
Patient data may have been compromised, and the burden and cost is put on the patients to protect themselves? If I was a patient, I’d be pretty ticked off at that. That is, if I even knew about the incident. Were letters sent to patients? And if so, do they contain more details, more mitigation help, and maybe some kind of apology for any inconvenience or stress (or cost) the patients have now incurred?
DataBreaches.net submitted a second inquiry to the practice through their contact form, asking whether the patients had been sent letters or if the web site notice was the only notification. Once again, there was an autoresponse that this site’s inquiry was received. But no actual response was received by the time of publication.