A dental practice in Indianapolis has consented to pay the Office of the Indiana Attorney General (OIG) a $350,000 financial penalty to settle several alleged violations of national and state legislation associated with an unreported ransomware attack and data breach in October 2020.
A few dental practices with business names Westend Dental, Arlington Westend Dental LLC, Westend Dental LLC, Sherman Westend Dental LLC, Lafayette Westend Dental LLC, Fountain Square Westend Dental LLC, and Affordable Westend Dental LLC are managed by Dr. Pooja Mandalia D.D.S. The Indiana OIG started investigating Westend Dental after receiving a complaint from a patient. Allegedly, the patient requested a copy of their dental files, but the dental practice could not give the records because of a hacking incident.
The Indiana OIG investigation discovered proof that Westend Dental had suffered a ransomware attack on or about October 20, 2020, affecting the protected health information (PHI) of state residents. Westend Dental notified the Indiana OIG about an incident on October 28, 2022, which is around two years after the occurrence of the attack and data breach. Westend Dental did not admit in the notification the occurrence of a ransomware attack or data breach. It mentioned that the loss of patient data was because of an accidental formatting of the hard drive. But a sworn testimony made by a witness in January 2023 confirmed a data breach. Therefore, the Indiana OIG began a bigger investigation to evaluate state laws and compliance with HIPAA Rules, which exposed substantial HIPAA violations.
Kunal Rana, Dr. Deept Rana’s brother, owns the dental practice of spouses Dr. Mandalia and Dr. Deept Rana D.D.S., and Westend Dental Management LLC. Dr. Deept Rana was allegedly Westend Dental Practices’ HIPAA Privacy and Security Officer. However, there is no documentation of the designation, and Dr. Rana did not get routine HIPAA training before November 2023. Kunal Rana is not a dentist, but leased properties to Westend Dental and helped with the operations of the dental practices, even if he wasn’t a worker or contractor. The practices and Kunal Rana did not enter into any business associate agreement.
The Medusa Locker ransomware group acquired access to Arlington Westend Dental’s server that held 450 patients’ PHI and encrypted the files. Westend Dental had a total of about 17,000 patients from all companies and dental practices when the ransomware attack occurred. No forensic investigation of the attack was conducted, hence, the total number of affected patients is unknown.
As per the OIG complaint, Medusa Locker frequently breaches systems by taking advantage of vulnerabilities in Remote Desktop Protocol (RDP). Although it isn’t sure that the attacker used this as the entry point, no analysis was done to verify the compromise of RDP. Without the investigation, it’s possible that Medusa Locker had continuing access to the server and other systems. That seems probable given that the initial access vector was not confirmed nor the Medusa Locker’s retention of server access.
Westend Dental keeps listings of usernames and passwords on the breached server. The usernames and passwords were used for all Westend Dental servers that kept PHI and an SQL database with patient data. When asked about the monitoring systems setup, Dr. Rana could not remember if a monitoring system was set up. There is no system or guidelines for knowing who can access PHI.
A third-party software vendor made backups of patient data, but they were not complete. Employees did not know the HIPAA guidelines and procedures and did not get HIPAA training before November 2023. Although Westend Dental purchased a HIPAA compliance software program on or about November 20, 2023, OAG claims Westend Dental was not HIPAA compliant. For example, OAG mentioned that Westend Dental had published a notice of privacy practices on its web page, but there was no proof of conducting a HIPAA-compliant risk analysis, no password policies available until January 2024, and no physical safety measures for restricting access to servers that contain patient information. A few servers were located, unsecured in staff break rooms and restrooms.
Westend Dental did not notify the Indiana AG or the HHS’ OCR about the data breach, nor did it post a notice on its website, release a media notice, or mail personal notification letters to the impacted persons. It also tried to conceal the attack and data breach by making wrong statements to the Indiana OIG.
Westend Dental explained that a data loss incident occurred affecting less than 500 records because an internal hard disk was unintentionally formatted. After the cyberattack, the Indiana OAG received written messages between Westend Dental and a hired software vendor. The conversations proved that Westland Dental knew about the ransomware attack and received a ransom letter.
Westend Dental is facing the following 7 counts of privacy, security, and breach notification failures:
1. Non-compliance with the HIPAA Breach Notification Law
2. Non-compliance with several provisions of the HIPAA Security Law
3. Non-compliance with the HIPAA Privacy Law – Disclosures of PHI
4. Non-compliance with the HIPAA Privacy Law -Notice of Privacy Practices
5. Not providing breach notification violates the Indiana Disclosure of Security Breach Act
6. Violation of the Indiana Disclosure of Security Breach Act
7. Violations of the Indiana Deceptive Consumer Sales Act
Westend Dental is going to pay a $350,000 financial penalty and implement steps to make certain compliance with the HIPAA Privacy, Security, and Breach Notification Rules and state legislation. The consent order additionally requires Westend Dental to send personal notices to all patients of Westend Dental until November 23, 2023. The financial penalty and consent order settles the HIPAA and state legislation violations with the Indiana Attorney General. Nevertheless, the HHS Office for Civil Rights could decide to go after financial penalties over HIPAA violations.