By Genni Burkhart
Two separate cyberattacks recently impacted a large U.S. dental supply company, and the American Dental Association (ADA). While the investigations are separate and ongoing, the implications of these attacks seem to highlight a much larger issue – that these types of crimes are on the rise, and often aren’t reported to those affected until well after the damage has been done.
Data Breach at Major Dental Supply Company
On April 20th Burkhart Dental Supply (no relation to article author) based in Tacoma, WA began sending out notification letters concerning a data breach that happened on or around October 7, 2021 to those impacted. The information that was potentially compromised included clients’ names, social security numbers, date of birth, driver’s license numbers, and other government-issued identification numbers.
The company claims that upon discovery of the breach immediate action was taken to limit the impact of the incident. This included an investigation in March of this year to determine the source and scope of the data breach, and implementation of “additional features” to prevent a similar incident from happening again.
While Burkhart Dental did not include the source of the breach in the letter, it did offer free identity theft services to those impacted.
ADA Targeted by Cybercriminals
On April 22nd the American Dental Association was the target of a cybersecurity incident, allegedly enacted by a new ransomware gang, “Black Basta.”
The attack originally brought the ADA’s website to a halt and disrupted their email, telephone, and Web chat, as well as causing online services such as the ADA Store and Catalog, MyADA, and other services to become inaccessible.
In a letter sent to members on the breach, the ADA asked its members for “understanding” in the limited details currently available as the attack remains under investigation, and it works to secure its network. Federal law enforcement is working with the ADA on investigating this attack, and perhaps showing just how far-reaching this attack was, an article from bleepingcomputer.com reports that state dental associations in New York, Virginia, and Florida have also been impacted by this event.
While the ADA stated preliminary investigations didn’t indicate member information was compromised, the same article by bleepingcomputer.com and cited by numerous sources states “Black Basta” already leaked, “approximately 2.8 GB of data” which accounts for 30 percent of the total data stolen in the attack. This particular data includes W2 forms, NDAs, accounting information, and information on ADA members.
However, in a statement made by the ADA to the Information Security Media Group (ISMG) as reported at govinfosecurity.com, neither “Black Basta” nor any other ransomware is specified, and calls reports of such as unsubstantiated and not affiliated with the official investigation.
Additional Attacks on Oral Healthcare Organizations
- Professional Dental Alliance in October of 2021. This network of dental practices notified tens of thousands of patients that their protected health information stored in emails was accessed without authorization between March 31 and April 1 of 2021. This breach happened by a vendor, North American Dental Management, and upon investigation found phishing emails to be the method of this attack.
- Jefferson Dental & Orthodontics (JDC) in March of 2022. Texas based JDC Healthcare Management, operating as Jefferson Dental & Orthodontics and claiming to be the “official dentists of the Dallas Mavericks,” has over 70 locations across the state. In March of this year JDC reported to the Texas attorney general’s office that the protected health information of over 1 million individuals were impacted by a malware incident happening on or around August 9, 2020.
Dentists and their practices are no less immune to cyberattacks than any other healthcare professional or institution. With money and extortion often the prime motivator, many experts agree that healthcare professionals are especially vulnerable for this type of fraud. Unfortunately, when sensitive data is compromised it also threatens the reputation of the organization and individuals involved. In addition, any data breach involving protected health information held by a healthcare provider or other “covered entity” subjects the provider to sanction under HIPAA.
The idiom, “An ounce of prevention is worth a pound of cure” gives particular meaning to becoming hyperaware of these rising threats, and taking steps to protect. The first step is awareness, followed by active measures to protect the sensitive information of yourself, staff, and patients.
If you feel you might have been impacted by any of these data breaches, please visit those organizations directly for their official response and instructions.
Author: With over 12 years as a published journalist, editor, and writer Genni Burkhart’s career has spanned politics, healthcare, law, business finance, technology, and news. She resides on the western shores of the idyllic Puget Sound where she works as the Editor in Chief for the Incisor at DOCS Education out of Seattle, WA.