HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Dental Care Alliance Data Breach Impacts More Than 1 Million Patients

Sarasota, FL-based Dental Care Alliance, LLC, a dental support organization with more than 320 affiliated dental practices across 20 states, has been hacked and the protected health information of more than a million individuals has potentially been compromised. The breach occurred on September 18, 2020, was detected on October 11, and was contained on October 13.

A breach notification submitted to the Maine Attorney General’s office indicates some patient information was acquired by the hackers, such as patient names in combination with financial account numbers, although Dental Care Alliance said only around 10% of the affected individuals had their financial account number exposed. For the majority of individuals affected by the breach, the information potentially compromised was limited to names, addresses, diagnoses, treatment information, patient account numbers, billing information, dentists’ names, and health insurance information.

Dental Care Alliance said it acted quickly when the breach was discovered to secure its systems to prevent any further unauthorized access. Additional safeguards have since been implemented to prevent further breaches and further training has been provided to employees on data security. The investigation into the breach is continuing and Dental Care Alliance will continue to review the data potentially at risk and will provide further information to affected individuals if new facts are learned about the attack. The breach notification letters do not provide further information on the exact nature of the attack.

Dental Care Alliance sent notification letters to the 1,004,304 affected individuals in November. The letters explained that while the attackers did access certain files, “no specific evidence” was found to indicate any patient information has been used for malicious purposes. It does not appear that affected individuals are being offered any credit monitoring or identity theft protection services.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The breach report submitted to the HHS’ Office for Civil Rights initially indicated 1,004,304 individuals had been affected but was later amended to 1,723,375 individuals.

Legacy Community Health Services Email Breach Impacts 3,076 Patients

Legacy Community Health Services (LCHS) in Texas is notifying 3,076 individuals that some of their protected health information was contained in an email account that was accessed by an unauthorized individual.  LCHS identified an unauthorized login to an employee’s email account on July 24, 2020 and a password reset was performed the same day.

A third-party cybersecurity firm was engaged to investigate the breach and the review of the compromised account was completed on September 22, 2020. The review revealed the account contained patient names and limited clinical information related to care received and one patient’s driver’s license number. Misuse of patient information is not suspected. Notifications were sent to the 3,076 patients on November 20, 2020.

This is the third email breach to be reported by LCHS in 2020. An email account breach was reported to the HHS’ Office for Civil Rights in September as affecting 228,000 individuals, and a breach was reported as affecting 19,000 individuals in June 2020.

Hillcrest Nursing Center Discovers Unauthorized Medical Record Access by Former Employee

Hillcrest Nursing Center in Round Lake Beach, IL has discovered the protected health information of certain residents may have been viewed by an unauthorized individual.

On or around August 4, 2020, Hillcrest Nursing Center terminated one of its staff physicians. On August 23, 2020, Hillcrest was informed by some family members of residents that they had received a phone call from the terminated physician who had discussed care and treatment. An investigation was launched which revealed the physician still had access to the Hillcrest medical record system.

The physician’s login was immediately revoked, and a review was conducted to determine which records could potentially have been accessed. The review was completed on October 9, 2020 and confirmed the terminated physician had access to 1,030 records which included names, Social Security numbers, insurance information, medical histories, and treatment information.

All affected individuals have now been notified and complimentary identity theft restoration and credit monitoring services are being provided. A new policy has now been implemented that requires access to the electronic medical record system to be immediately revoked when staff members are terminated or otherwise leave employment.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.