Orthodontic Practice Management Software Provider Announces Data Breach
OrthoMinds, an Alpharetta, Georgia-based provider of orthodontic practice management software, has recently announced a November 2024 security incident that potentially resulted in unauthorized access to patients’ protected health information. The forensic investigation confirmed that parts of its network may have been exposed to unauthorized, external third parties between November 17, 2024, and November 27, 2024.
The file review confirmed that the information likely compromised in the incident includes names, dates of birth, medical information, health insurance information, payment card information, and Social Security numbers. What is not clear at this stage is how many individuals have been affected. The file review is ongoing, and the breach has been reported to the HHS’ Office for Civil Rights as involving the information of at least 501 individuals. The final total is likely to be substantially higher.
OrthoMinds is sending notification letters to the individuals affected on behalf of its affected clients and is offering complimentary credit monitoring services to individuals who had their payment card information or Social Security numbers exposed. OrthoMinds has also reviewed its policies and procedures and is implementing additional technical safeguards to prevent similar incidents in the future. While data has been exposed, OrthoMinds said it is unaware of any data theft or data misuse.
It would appear that the security incident is due to improperly secured databases, which could be accessed freely over the Internet, with no access controls in place. That means that anyone who found the databases could access and download the contents.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
A security researcher, JayeTee, said he discovered the and claims they included the data of at least 200,000 patients. He suggests while the database may have been accessible in November, the data was likely exposed for longer. The researcher said he monitors for exposed data and the database was first identified in his logs around October 23, 2024, but it was November before he investigated further. JayeTee said he found more than 300 database backups from November 2020 through mid-October 2024, each of which contained the data of many patients of dental clinics that use the practice management software. Iin total, the database backups contained more than 1,873 gigabytes of data. What is not known is whether anyone other than the security researcher found the exposed database before it was secured.
