Westend Dental LLC Data Breach Cover-Up Exposed
A US dental chain, Westend Dental LLC, has been fined $350,000 for its attempt to conceal a significant data breach stemming from a 2020 ransomware attack.
The Ransomware Attack and the Subsequent Cover-Up
In October 2020, Westend Dental LLC fell victim to the Medusa Locker ransomware group. Medusa Locker, operating under a Ransomware-as-a-Service (RaaS) model, is known for targeting large enterprises in healthcare and education, employing double extortion tactics—encrypting data and threatening to release sensitive information unless a ransom is paid.
Instead of reporting the incident immediately, Westend Dental LLC chose to deceive its patients. They falsely attributed the data loss to an “accidentally formatted hard drive,” a blatant attempt to avoid the mandatory 60-day notification requirement under HIPAA.
This deception continued until October 28, 2022, when, two years after the attack, Westend Dental LLC finally filed a data breach notification form with the State of Indiana. This delay significantly hampered efforts to mitigate the damage and inform affected individuals.
The Investigation and Uncovered HIPAA Violations
The Indiana Office of Inspector General (OIG) launched an investigation, prompted by a patient complaint regarding an unfulfilled request for dental records. The OIG uncovered evidence confirming the October 2020 ransomware attack and Westend Dental LLC’s continued denial of a data breach. A witness statement in January 2023 further solidified the evidence, leading to a broader investigation into Westend Dental LLC’s compliance with HIPAA rules and state laws.
The investigation revealed a multitude of serious HIPAA violations, including:
- Lack of HIPAA Training and Policies: Westend Dental LLC failed to provide employees with HIPAA policies and procedures or adequate training until well after the breach.
- Absence of Risk Analysis: No evidence suggested a HIPAA-compliant risk analysis had ever been conducted. The investigation uncovered usernames and passwords stored in plain text on the compromised server, highlighting a severe lack of security protocols.
- Inadequate Password Policies: Until at least January 2024, Westend Dental LLC lacked password policies, using the same username and password across all servers containing protected health information.
- Neglect of Physical Safeguards: Servers holding sensitive patient data were left unprotected in employee break rooms and bathrooms, demonstrating a complete disregard for physical security measures.
Consequences of Westend Dental Fined
The lack of a forensic investigation following the ransomware attack means the precise number of individuals affected remains unknown. However, considering Westend Dental LLC served approximately 17,000 patients at the time of the attack, the potential impact is substantial. The incomplete backups made by a third-party vendor further compounded the problem, preventing timely notification of affected patients.
As a direct result of these violations and the deliberate attempt to cover up the Westend Dental data breach, the dental group was fined $350,000. This significant penalty serves as a cautionary tale for other organizations, highlighting the importance of proactive cybersecurity measures, prompt breach reporting, and strict adherence to HIPAA regulations. The Westend Dental fined case underscores the high cost of non-compliance and the potential reputational damage associated with concealing data breaches.
