Indiana AG Agrees to $350,000 Penalty to Resolve Egregious HIPAA Violations
An Indianapolis dental practice has agreed to pay a financial penalty of $350,000 to the Office of the Indiana Attorney General (OIG) to resolve multiple alleged violations of federal and state laws related to an unreported October 2020 ransomware attack and data breach.
Several dental practices operate under the name Westend Dental, including Westend Dental LLC, Arlington Westend Dental LLC, Sherman Westend Dental LLC, Fountain Square Westend Dental LLC, Lafayette Westend Dental LLC, and Affordable Westend Dental LLC, all of which are owned by Dr. Pooja Mandalia D.D.S. The Indiana OIG initiated an investigation of Westend Dental following a complaint from a patient who had requested a copy of their dental records, which could not be provided due to a hacking incident.
The Indiana OIG investigation uncovered evidence that Westend Dental had experienced a ransomware attack on or around October 20, 2020, involving state residents’ protected health information. Westend Dental submitted a data breach notification form to the Indiana OIG on October 28, 2022, more than two years after the attack and data breach occurred. In that notification, Westend Dental denied a ransomware attack or data breach occurred, stating that patient data was lost due to an accidentally formatted hard drive. It was only during a sworn testimony in January 2023 that a witness confirmed there had been a data breach. The testimony prompted the Indiana OIG to initiate a wider investigation to assess compliance with the HIPAA Rules and state laws, which revealed extensive HIPAA violations.
Practice owner Dr. Mandalia is married to Dr. Deept Rana D.D.S., and a separate company, Westend Dental Management LLC, is owned by Kunal Rana, the brother of Dr. Deept Rana. Dr. Deept Rana was purportedly designated the HIPAA Privacy and Security Officer for all Westend Dental practices; however, that designation was not documented, and Dr. Rana had not received regular HIPAA training prior to November 2023. Kunal Rana, who is not a dentist, rented properties to Westend Dental and assisted with the management of the dental practices, even though he was not an employee or contractor. There was no business associate agreement between the practices and Kunal Rana.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The Medusa Locker ransomware group gained access to a server used by Arlington Westend Dental, which at the time had 450 patients. In total, Westend Dental served around 17,000 patients across all companies and practices at the time of the ransomware attack. The Medusa Locker group encrypted files on the Arlington Westend Dental server, so had access to the protected health information of at least 450 patients, but it is not known how many patients were affected in total as no forensic investigation of the attack was ever conducted.
According to the OIG complaint, Medusa Locker commonly breaches networks by exploiting vulnerabilities in Remote Desktop Protocol (RDP). While it is not clear if that was the entry point, no assessment was conducted to determine whether RDP was compromised. The failure to investigate the attack meant Medusa Locker may have been able to continue to access the server and potentially other systems. That appears likely since no effort was made to determine the initial access vector nor whether Medusa Locker retained access to the server.
Westend Dental was found to maintain lists of usernames and passwords in plain text on the compromised server, and the same username and password were used for all Westend Dental servers that contained protected health information. The same username and password were also used for an SQL database containing patient information. When questioned about whether monitoring systems were in place, Dr. Rana, who was responsible for all IT-related matters at Westend Dental at the time of the attack, could not recall if there was a monitoring system in place, and there was no apparent system or policies for tracing who had access to protected health information.
Backups had been made of patient data by a third-party software vendor, but those backups were incomplete and did not include all patient data. HIPAA policies and procedures were not given to or made readily available to employees, and there was no HIPAA training for employees prior to November 2023. While Westend Dental paid for HIPAA compliance software on or around November 20, 2023, OAG alleges Westend Dental is still not compliant with the HIPAA Rules. For instance, OAG stated that there was notice of privacy practices on its website, no evidence that a HIPAA-compliant risk analysis had ever been conducted, there were no password policies until at least January 2024, and there were no physical safeguards to limit access to servers containing patient data. Some servers were located, unprotected, in employee break rooms and bathrooms.
Neither the Indiana Attorney General nor the HHS’ Office for Civil Rights were notified about the data breach, no notice was placed on the Westend Dental website, and there was no media notice about the data breach. Individual notification letters were not mailed to the affected individuals. Not only was the breach not reported, but Westend Dental attempted to cover up the attack and data breach by making false statements to the Indiana OIG, including stating, “This was not a ransomware attack. We did not receive any ransom demand after the data was corrupted.”
Westend Dental claimed it was a data loss incident involving fewer than 500 records due to the accidental formatting of an internal hard disk. The Indiana OAG obtained written communications between Westend Dental and a third-party software vendor contacted for assistance after the attack. The exchanges confirmed that Westland Dental was aware of the ransomware attack and had received a ransom demand.
This was an absolute horror show as far as privacy, security, and HIPAA compliance are concerned and the failure to issue prompt notifications to individuals about the data breach has increased the risk of harm. The OAG complaint includes 7 counts related to the privacy, security, and breach notification failures:
- Failure to comply with the HIPAA Breach Notification Rule
- Failure to comply with multiple provisions of the HIPAA Security Rule
- Failure to comply with the HIPAA Privacy Rule – Disclosures of PHI
- Failure to comply with the HIPAA Privacy Rule –Notice of Privacy Practices
- Failure to implement and maintain reasonable procedures in violation of Indiana Disclosure of Security Breach Act
- Failure to provide breach notification in violation of Indiana Disclosure of Security Breach Act
- Violations of the Indiana Deceptive Consumer Sales Act
Westend Dental has agreed to a consent order and will pay a $350,000 financial penalty and take extensive steps to ensure compliance with the HIPAA Privacy, Security, and Breach Notification Rules and state laws. The consent order also requires Westend Dental to send individual notifications to all individuals who were patients of Westend Dental as of November 23, 2023. The financial penalty and consent order resolves the violations of HIPAA and state laws with the Indiana Attorney General but does not mean there will not be further action by the HHS’ Office for Civil Rights. OCR could also choose to pursue financial penalties over the egregious HIPAA violations.
Update: February 2024: Westend Dental has started mailing notification letters to the affected individuals.
