HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HIPAA Breach: 11K Dental Patients’ PHI Uploaded to File Sharing Website

Lanap & Dental Implants of Pennsylvania has inadvertently violated HIPAA Privacy and Security Rules following the posting of approximately 11,000 dental records on a torrent site used for Peer to Peer (P2P) file sharing.

P2P file sharing sites allow users to upload data, software and all manner of digital content and share this with a select group of individuals, or make the data available to anyone who visits the site. When “torrents” are created, they are listed on any number file sharing websites simultaneously. Anyone searching for specific files – or types of files – can download the files.

Quite a large number of people appear to have done just that. The data is listed on at least 18 file sharing websites, and to date it has been downloaded over 9,000 times from one website alone. That number could be similar on each of the other websites, or higher.

4-year Breach of PHI and Social Security Numbers

A recent report on WNEP News revealed not only had this information been uploaded to the website, but the information had been available for four years. The data appeared to be the entire database of the company dating back at least 20 years.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The data was stored in a program called Dentrix; the most widely used medical office management system in the United States. The information was found by a Dallas computer technician, Justin Shafer, who was researching Dentrix software.

He came across the database on a file sharing website and decided to download it, along with the Dentrix program which had also been shared on the site. Shafer then registered as a patient at the Lanap & Implant Dental Center in Williamsport, and discovered that he was able to search the entire database of patients, which included 11,000 Social Security numbers along with Personally Identifiable Information.

The company’s database had been uploaded to the site by someone who had found a portable flash drive in the street.

The uploader had also supplied a helpful comment:

I found a USB flash drive in the middle of the road and it had this Dentrix software on it. I don’t know if it needs activated or who would even be looking for this type of software, but someone put on a flash drive for a reason, so here ya go.

Data Breaches Raises Questions About HIPAA Violations

The incident screams HIPAA violation, although the hows, whys and wherefores are not yet known. Why was the company’s database on a flash drive? Had an employee copied the data and lost the drive and failed to report it? Was the data stolen and did the uploader lie about the origin of the data? That information many never be known.

There are other potential HIPAA violations regarding breach notification letters. According to the report, 11,000 records and Social Security numbers were said to be in the database according to Shafer, yet when he alerted the dental practice to the data breach it claimed to have only sent 5,000 breach notification letters. Why some 6,000 letters were not sent to other patients affected by the breach is not known.

Data Was Obfuscated, Not Encrypted

Data in transit should be encrypted, whether that is data transmission or when it is physically being transported on portable drives and devices. In this case the data was protected to some degree by the Dentrix Software, which does adhere to FairCom’s definition of “standard encryption”. However, no data encryption is offered, only data obfuscation: A basic security measure that offers a limited amount of protection against disclosure after loss of a device, but not sufficient to stop that data from being accessed by anyone with some technical knowhow, or in this case, someone who knew how to upload a file to a website.

Since 6,000 individuals were reportedly not contacted, it is difficult to gauge the true extent of the data breach and whether any actual harm was suffered as a result of the data theft/data loss. No credit monitoring services appear to have been offered to help mitigate any damage suffered, and some patients could be totally unaware that their data has been compromised – or worse still, used to commit fraud.

A lawyer for the dental practice – owned by David DiGiallorenzo – issued a statement saying “We have complied fully with the state and federal notification requirements for such a breach. This matter has been referred to the FBI for investigation and, hopefully, prosecution.” He also confirmed that “additional security measures” would be implemented to prevent future breaches and described the data theft as “an unauthorized hacking incident.”The lawyer has also filed a cease and desist order against Justin Shafer to forbid him from talking about the incident.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.