- A data breach at Lanap & Dental Implants of Pennsylvania has left thousands with their protected health information (PHI) available for download on file sharing websites, according to a report in WNEP.com. Between 5,000 and 11,000 patients in the Williamsport area were affected by the breach.
The patient information was stored in a medical office management program called Dentrix, the most used software of its kind in the US. Somehow, a copy of the practice’s database was uploaded to a torrent website, complete with patient names, addresses, dates of birth, telephone numbers, Social Security numbers (SSNs), appointments dates, services provided, dental insurance information, account balances, and prescriptions. The information had last been updated on May 1, 2009.
The breach was discovered last fall by Justin Shafer of Dallas, Texas, who was researching the Dentrix software, according to PHIPrivacy.net. Shafer notified the dental practice, which sent notification letters to 5,000 patients. The database, however, contained information for over 11,000 patients.
In WNEP’s investigation, reporter Dave Bohman contacted patients included in the downloadable files and learned that many were unaware their information was online.
Scott McIntosh, a lawyer representing the dental practice and its owner Dr. David DiGiallorenzo, has stated that the breach was an “unauthorized hacking incident,” and the letters sent to patients noted the practice “would take additional security measures” but did not identify what steps would be taken. McIntosh informed PHIPrivacy.net “that we have complied fully with the state and federal notification requirements for such a breach. This matter has been referred to the FBI for investigation and, hopefully, prosecution.”
WNEP, on the other hand, reports that “law enforcement agencies will not even confirm if a criminal investigation is underway, and the question of who stole the information from the dental offices and why, remains unanswered.”
It seems that there are more questions than answers regarding the incident. While the office notified 5,000 patients, the SSNs for nearly 9,000 are available online. Was the office unaware of the actual number of affected patients, or did they choose to only notify 5,000?
The files were initially uploaded to a torrent site on Feb, 17, 2010, according to a contributor to CyberWarnews.info, meaning the files were accessible for almost four years. PHIPrivacy reports that the data was uploaded with the message, “I found a USB flash drive in the middle of the road and it had this Dentrix software on it. I don’t know if it needs [to be] activated or who would even be looking for this type of software, but someone put [it] on a flash drive for a reason, so here ya go.”
The Dentrix version used by the practice, Dentrix 11, used FairCom’s “standard encryption,” which has since been renamed “Data Camouflage” because of its lack of actual encryption.
Since its first internet appearance, it can now be found on 18 sites, and the files have been downloaded more than 9,000 times from a single site alone.
While WNEP notes that there has been no misuse of the information, the truth of that statement is difficult to gauge considering not all patients involved were notified, and it is likely that some are still unaware that their personal information is circulating on the internet. The breach is not currently listed on the HHS data breach tool, and there is also no indication that the dental practice has offered any affected patient credit monitoring services.
In the strangest turn of events, McIntosh has issued a cease and desist notice to Shafer, according to PHIPrivacy.net. The notice is apparently in response to Shafer contacting the media to share the breach story so that others affected might be aware of the incident. Shafer is to make no future mention of any breach details, and criminal prosecution is being sought in two states.