Update on Dyras Dental ransomware attack
On September 24, DataBreaches.net contacted Dyras Dental in Lansing, Michigan to ask about Egregor threat actors’ claim that they had attacked them and exfiltrated data. Dyras Dental did not respond to that contact or to my subsequent DM to them on Twitter.
On October 5, not seeing anything on Dyras Dental’s web site or Twitter account to alert patients, and having viewed files with PII and PHI that Egregor had already dumped on their clearnet and dark web leak sites, DataBreaches.net reached out to Dyras Dental again. Again, they didn’t respond at all.
On November 9, DataBreaches.net wrote an opinion piece arguing that patients needed to be notified of ransomware attacks much sooner than they had been to date. In a companion file, “Without Undue Delay,” DataBreaches.net noted that Egregor ransomware threat actors had added Dyras Dental in Michigan to their leak site in September. As I reported in that paper:
The data dumped by the attackers as initial proof contained more than 100 files, almost all of which dealt with financial aspects such as insurance billings with patient protected health information, employees’ W-2 statements, and voice mail recordings containing patient-related information. Dyras still has not responded to inquiries sent to it in September and October and there is still no statement to be found on their web site.
On re-check yesterday, DataBreaches.net found that there was still no notification on the practice’s web site, nor any press release or media notice that I could find. Nor was there anything on HHS’s public breach tool. But there were two developments:
First: the Egregor threat actors had dumped what appeared to be all of the data they had exfiltrated from Dyras Dental — when decrypted, it came to almost10 GB of files that included employee data, patient data, and business records including accounts information. Many of the files appear to be from the practice’s Dentrix system.
Second: At some point after my October attempt to contact them via DM, @DyrasDentalPLLC blocked DataBreaches.net’s account on Twitter (@PogoWasRight). This, of course, was an utterly brilliant incident response on their part because we know that stonewalling journalists and privacy advocates always makes the problems go away.
It is now more than 70 days since DataBreaches.net first became aware of this incident and reached out to Dyras. Have they notified any patients that their protected health information is freely available both on clearnet and on the dark web? Have they notified HHS?
Perhaps they have notified both. But in an abundance of caution (see how cleverly I worked that in?), DataBreaches.net has referred the matter to HHS with a request that they investigate to determine if Dyras Dental has notified patients about this incident and/or what steps they have taken.
Lest it sound like a grudge referral, it is not. Dyras Dental is not the only entity that this site has reported to HHS because there was no public notification after more than 60 days. HHS is currently investigating other complaints this site has submitted of this type and this site will be submitting a number more.
It is not that this site is unsympathetic to the impact of ransomware attacks on victims. But when an entity knows that data are already being dumped, they should not be taking 60 days or longer to start to warn people to take steps to protect themselves.
Update of March 22, 2021: Today, the Dyras Dental incident was added to HHS’s public breach tool as impacting 2,745 patients. A notification was also posted on the covered entity’s site. It begins:
Dyras Dental recently discovered unauthorized access to its network occurred between approximately September 14, 2020 and September 24, 2020.
“Recently discovered?” They were contacted in September with proof of unauthorized access. And contacted multiple times thereafter to inquire about the exposed data.
And although they offer those affected complimentary services, their web site notice does not actually tell people that their PII and PHI were actually dumped on the dark web and clear net for anyone and everyone to download. DataBreaches.net continues to believe that patients should be notified when the entity knows that data has been dumped or made publicly available.
Eventually, HHS will send this site a closing letter about the complaint that this site had filed about Dyras’s lack of timely notification. That letter may make it clearer whether Dyras’ notification or post-incident steps were in any way impacted by the complaint or if they were totally unrelated.