HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Vendor of Dental Center of Northwest Ohio Suffers Ransomware Attack

Current and former patients of the Dental Center of Northwest Ohio in Toledo, OH, are being notified that some of their protected health information has potentially been compromised as a result of a ransomware attack on one of its vendors.

Arakyta, a managed IT service provider, notified the dental center on September 1, 2018, of a security breach on a server hosting certain dental center systems. Assisted by third-party computer experts, the dental center determined on November 7, 2018, that an unknown, unauthorized individual had gained access to the server and had potentially viewed or copied patient data.

No evidence of data theft was detected and no reports have been received from patients to suggest any protected health information was stolen and misused. However, since it was not possible to rule out data theft with a high degree of certainty, the decision was taken to issue notifications to patients and to provide them with complimentary credit monitoring and identity theft restoration services.

The types of data potentially viewed/copied by the attacker included full names, home addresses, dates of birth, Social Security numbers, driver’s license numbers, state identification numbers, medical histories, diagnoses, treatment information, clinical data, medical records, patient ID numbers, health insurance information, benefit information, and financial data.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Both the dental center and Arakyta had security measures in place to prevent unauthorized data access, but those controls were bypassed by the attacker. The dental center has since reviewed its policies related to the privacy and security of patient data and has implemented additional safeguards to prevent further breaches of protected health information.

The breach has been reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) and other appropriate authorities. The breach summary has yet to be added to the OCR breach portal, so it is currently unclear how many patients have been affected.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.