Share this article on:
Current and former patients of the Dental Center of Northwest Ohio in Toledo, OH, are being notified that some of their protected health information has potentially been compromised as a result of a ransomware attack on one of its vendors.
Arakyta, a managed IT service provider, notified the dental center on September 1, 2018, of a security breach on a server hosting certain dental center systems. Assisted by third-party computer experts, the dental center determined on November 7, 2018, that an unknown, unauthorized individual had gained access to the server and had potentially viewed or copied patient data.
No evidence of data theft was detected and no reports have been received from patients to suggest any protected health information was stolen and misused. However, since it was not possible to rule out data theft with a high degree of certainty, the decision was taken to issue notifications to patients and to provide them with complimentary credit monitoring and identity theft restoration services.
The types of data potentially viewed/copied by the attacker included full names, home addresses, dates of birth, Social Security numbers, driver’s license numbers, state identification numbers, medical histories, diagnoses, treatment information, clinical data, medical records, patient ID numbers, health insurance information, benefit information, and financial data.
Both the dental center and Arakyta had security measures in place to prevent unauthorized data access, but those controls were bypassed by the attacker. The dental center has since reviewed its policies related to the privacy and security of patient data and has implemented additional safeguards to prevent further breaches of protected health information.
The breach has been reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) and other appropriate authorities. The breach summary has yet to be added to the OCR breach portal, so it is currently unclear how many patients have been affected.