Dental Alliance Reports Vendor Breach Affecting 170,000Multiple Breach Reports for Phishing Incident Reflect Notification Complexities
The Professional Dental Alliance is notifying more than 170,000 individuals in about a dozen states of a phishing breach involving an affiliated vendor that provides nonclinical management services to dental practices owned by PDA.
New Castle, Pennsylvania-based PDA owns dental practices in 15 states, a PDA spokesman says.
In a statement, PDA says North American Dental Management, an affiliated vendor that provides administrative and technology support services for PDA practices, experienced an email phishing and credential harvesting attack on March 31 and April 1.
The incident potentially exposed patient information including name, mailing address, email address, phone number, dental information, insurance information, Social Security number and financial account numbers, PDA says.
NADM notified federal and local law enforcement agencies about the attack, PDA says. "Presently, there is no evidence of malicious use of any personal information due to this incident," the statement notes.
"While the matter remains under investigation, NADM and PDA have enhanced their email security controls and computer networks," PDA says in its statement.
Individuals affected by the breach are being offered two years of complimentary identity and credit monitoring and identity theft insurance for up to $1 million, PDA says.
No ransomware or other malware was involved in the phishing attack, the PDA spokesman tells Information Security Media Group.
Multiple Breach Reports
As of Thursday, the Department of Health and Human Service's HIPAA Breach Reporting Tool website, which lists health data breaches affecting 500 or more individuals, shows 11 separate breach reports filed by PDA operations in 11 states so far, affecting a total of nearly 173,000 individuals.
The HHS website shows PDA filing breach reports for affected practices in Pennsylvania, Massachusetts, Michigan, Georgia, Indiana, Connecticut, Texas, Florida, Illinois, Tennessee and New York.
Additionally, NADG Hopewell Inc., an Ohio-based dental practice network affiliate of NADM - the same vendor of PDA that experienced the phishing incident - reported an email hacking breach to HHS that it said affected more than 1,100 individuals.
PDA did not immediately respond to ISMG's inquiry about whether patients in all 15 states where PDA owns practices were affected and are being notified about the NADM breach.
The multiple breach reports filed by PDA for its affiliated practices in various states spotlight some of the complexities in HIPAA breach notification requirements for covered entities and business associates, depending upon the circumstances, some experts note.
PDA appears to have followed "the correct method" of reporting in situations where separate covered entity healthcare providers are each individually responsible for notifying HHS and affected individuals for their own respective breach, says regulatory attorney Helen Oscislawski of law firm Attorneys at Oscislawski LLC.
"Here, the phishing incident leading to the breach was directly suffered by what appears to be the HIPAA business associates for each of these respective practices," she says.
"Although [in the PDA incident] they are affiliated providers, there are situations where a HIPAA business associate vendor suffers a breach which affects the individuals of a covered entity provider that is unaffiliated," she notes.
"In these cases, each one of those unaffiliated covered entity providers would be reporting only on the individuals who were affected from their own practice."
Dental Practice Trends
Regulatory attorney Paul Hales of the Hales Law Group says that dental care in the U.S. has traditionally been provided by small independent practices.
"The nature of dentistry as a professional business has inhibited development of larger organizations. And hospitals have little interest in acquiring dental practices or employing dentists," he notes.
Accordingly, Hales says, dentists who may prefer focusing on patient care often turn to outside organizations for services ranging from administration to internet marketing and almost every other element of practice management.
"The opportunity to offload business tasks to specialists has obvious appeal. Dental service organizations like PDA are useful, relatively new and are likely to grow. However, this breach illuminates an inherent concern," he says.
That's because - as in the PDA instance - the email phishing incident at one of PDA's vendors is affecting practices throughout the PDA network, in many states.
"Due diligence is the single most important thing dentists can do to take advantage of outsourced services and grow their practices," Hales says.
"That means working with financial, legal and compliance professionals to evaluate new opportunities and current alliances."