PHI Exposure Reported by Lone Peak Physical Therapy and First Choice Dental
Patient Records Potentially Viewed at Lone Peak Physical Therapy
Lone Peak Physical Therapy, the operator of 10 physical therapy centers in Montana, had a break-in at its Bozeman billing office and clinical space on October 21, 2023. The robbery was detected on Monday, October 23, 2023, when staff returned to work. The robbery was reported to law enforcement and an inventory was conducted to determine which items had been stolen. They included a safe containing patient payments, billing information, and laptop computers. The laptop computers were encrypted so data on those devices cannot be accessed, nor can they be used to access the network. If the intruder attempts to pawn any of the stolen data, the Gallatin County Sheriff’s Department will be notified.
There were locked filing cabinets in the office that contained hard copies of patient records. Lone Peak Physical Therapy said none of the hard copies appear to have been removed, but it is not possible to tell if any of those files were viewed. The files contained the records of 5,809 patients and out of an abundance of caution, those individuals have been offered complimentary credit monitoring services.
“Lone Peak apologizes for the stress and worry this situation may have caused its patients and is taking appropriate measures to avoid an incident of this nature from happening in the future.”
First Choice Dental Alerts Patients About the Potential Exposure of their PHI
First Choice Dental, the operator of 12 clinics in Madison and Dane County, WI, has recently reported a 1,000-record data breach to the Office for Civil Rights. Since this is an interim notification, that figure may be amended up or down pending the completion of its investigation.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
According to its notification letters, unauthorized network activity was detected on October 22, 2023. A third-party cybersecurity firm was engaged to investigate the breach and determined that an unauthorized third party had accessed its network. The investigation into the incident is ongoing, and the data exposed is still being analyzed. Formal data breach notifications will be mailed to the affected individuals when the investigation and file review are completed, and it has been determined exactly what types of data have been exposed. In the interim, out of full transparency, patients have been informed about the cyberattack via a website notice.
First Choice Dental took prompt action to block any further access to its network and has implemented several additional safeguards to better protect patient data. They include an XDR/EDR solution on all PC & server endpoints, immutable off-site backups of critical servers and site servers, full password resets for admin accounts, removal of unnecessary admin accounts, patching of the ESXiArgs vulnerability on its VMware vSphere environment, and the implementation of a fine-grained AD password policy for all users. First Choice Dental is also replacing its multifactor authentication and firewall and has disabled remote access until the implementation is complete.
Credit should be given to First Choice Dental for the transparency about the data breach and for providing a detailed interim notification to patients.
November 2025 Update: While the OCR breach portal still shows the breach as affecting 1,000 individuals, the data breach affected more than 159,000 individuals. Further information can be found in this post about the resultant litigation, which has now been settled for a maximum of $1,225,000.
