An Indianapolis-based dental practice, Westend Dental, has agreed to pay $350,000 following a state investigation into a ransomware attack that exposed sensitive patient information. Indiana Attorney General Todd Rokita filed a lawsuit against the practice, alleging a failure to timely report the breach and attempts to conceal the incident.
The ransomware attack, which occurred in October 2020, compromised a server at Westend Dental's Arlington location, affecting at least 450 patients. The state investigation was initiated after a patient filed a complaint regarding an unfulfilled dental records request, which led to the discovery of the breach nearly two years later. Under HIPAA regulations, health organizations are required to notify authorities within 60 days of discovering such breaches.
Westend Dental's owner, Dr. Pooja Mandalia, and her spouse, Dr. Deept Rana, who was designated as the HIPAA privacy officer, failed to maintain adequate security protocols. The lawsuit revealed that the compromised server contained sensitive patient information, including biometric data and treatment records, and that the practice had no system to track access to this data at the time of the incident.
The proposed settlement mandates Westend Dental to comply with HIPAA and improve its data protection measures, including employee training and incident documentation. This case highlights the vulnerabilities within the healthcare sector, where ransomware attacks are increasingly common, with 8% of such attacks targeting healthcare providers, according to cybersecurity expert Errol Weiss.
In addition to the ransomware breach, the investigation uncovered multiple improper disclosures of protected health information through public online posts and responses to patient reviews, further exacerbating the scandal.