Cybersecurity and Dental Services

The Dental Center of Northwest Ohio provides dental services and is based in Toledo, OH. In order to focus on dentistry, the practice contracted with Arakyta to manage their IT services.

Breach

The Dental Center of Northwest Ohio’s vendor experienced a breach. Arakyta was breached on September 1, 2018. Arakyta contracted with a third party to investigate the issue. They found that an unauthorized person had accessed their server. They may have viewed and copied their patient data. This also affected the employees.

Attack

The attackers used ransomware to attack the dental center’s vendor. Thisinfected the vendor’s computer systems. During this time it appears the systems were open to the attackers. It is notable that there were security measures in place, however, these were avoided by the attacker, much like a football player avoiding a tackle. The center is not sure how many patients were affected by this breach.

Data

As an additional issue for the practice, it appears the data may have been accessed. The disclaimer is there, as of January 2019, no evidence the data had been used in a malicious manner. While this is intended to calm the waters, there may not be signs for months or a year later. The data potentially accessed would be excessively useful for identity theft, fraud, and other nefarious uses. The data included the patient’s name, address, date of birth, social security number, state ID number, driver’s license number, medical treatment, medical history, diagnosis, clinical treatment information, medical record number, patient number, health insurance, and benefit information, and financial account information. The data could be used in several different ways by different parties for many malicious purposes.

Remediation

Dental Center of Northwest Ohio is offering free credit monitoring and ID theft restoration services to the possibly affected parties and staff. While this is great and a step in the right direction, this does not solve the overall issue. People are not allowed to change certain information about themselves, i.e. social security number, and historical static data won’t change, i.e. medical treatments. These data points will available for unauthorized use indefinitely. The Dental Center of Northwest Ohio and Arakyta are also reviewing policies and procedures, and implementing additional security measures.

Comments, Concerns, Etc.

There are teachable moments to share with most things. This would be one of those occasions. Granted this would not be shared until the issue would be resolved, however, this would have still been a lesson for others in the industry. Of course, the CISO/CTO does not want to have further light cast on the oversight, however, the issue once resolved should be documented and put in the past.

Resources

Barth, B. (2019, January 3). Dental center of NW ohio feels bite of ransomware attack on IT vendor. Retrieved from https://www.scmagazine.com/home/security-news/dental-center-of-nw-ohio-feels-bite-of-ransomware-attack-on-it-vendor/

Bratton, M. (2019, January 2). Data breach puts personal information at risk for patients, employees, of dental center of northwest Ohio. Retrieved from https://www.13abc.com/content/news/Data-breach-puts-personal-information-at-risk-for-patients-employees-of-Dental-Center-of-Northwest-Ohio-503811171.html

Data Center of Northwest Ohio. (2018, December 28). RE: Dental center of northwest Ohio, notice of data privacy event. Retrieved from https://www.prnewswire.comp/news-releases/re-dental-center-of-northwest-ohio-notice-of-data-privacy--event-300771300.html

HIPAA. (2019, January 2). Vendor of dental center of northwest Ohio suffers ransomware attack. Retrieved from https://www.hipaajournal.com/vendor-of-dental-center-of-northwest-ohio-suffers-ransomware-attack/

About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.