Dental Practice Fined 350K for Extensive HIPAA Violations and Ransomware Coverup
Westend Dental has agreed to a consent judgment and order that resolves multiple alleged violations of Indiana law and the Health Insurance Portability and Accountability Act (HIPAA), and an attempted coverup of a ransomware attack and data breach.
Westend Dental, which includes dental practices operated under the names Arlington Westend Dental, Sherman Westend Dental, Fountain Square Westend Dental, Lafayette Westend Dental, and Affordable Westend Dental, was investigated by Indiana Attorney General Todd Rokitaโs Office over a complaint from a patient who had not been provided with a copy of their dental records. The patient was told that the records no longer existed because someone hacked their systems. AG Rokitaโs office had not been informed about a hacking incident or data breach at Westend Dental.
The Office of the Attorney General (OAG) contacted a dentist at Arlington Westend Dental to investigate the complaint and was informed in February 2022 that one of its servers was infected with malware on the night of October 20, 2020. ย An OAG investigator contacted Westend Dental in June 2022 to enquire about the malware incident, and in October 2022, Westend Dental submitted a data breach notification form to OAG stating that the breach affected fewer than 500 individuals and no notice was provided to the affected individuals.
The data breach form stated names, addresses, driverโs license/state ID numbers, dates of birth, and protected health information were involved, but there was no data breach, only the loss of data due to an error formatting a hard drive. The plan was to format a hard drive partition that did not contain patient data, but the entire hard drive was accidentally formatted. Attempts were made to restore data; however, some patient data could not be recovered.
The Westend Dental practices are owned by Dr. Pooja Mandalia D.D.S., who is married to Dr. Deept Rana D.D.S. Dr. Rana was purportedly designated the HIPAA Privacy and Security Office for the practices. Dr. Ranaโs brother, Kunal Rana, owns a separate company, Westend Dental Management LLC., which assists with the management of all of the dental practices.
According to a November 2022 email sent by Kunal Rana to OIG, โThis was not an intrusion, but an incident of data being lost when the on-site internal hard drive of the server got formatted by mistakeโฆ This was not a ransomware attack. We did not receive any ransom demand after the data was corrupted.โ In March 2023, OAG issued a civil investigative demand to Westend Dental, and in response, Westend Dental confirmed its earlier emailed statement that there was no data breach only the loss of data. Kunal Rana later testified under oath that there was no ransomware attack, and no ransom note was found.
OAG obtained copies of customer service recordings between Westend Dental and one of its software vendors confirming a cryptovirus had encrypted files and a ransom demand had been received. Kunal Rana claimed he had lied to employees and the software vendor about the attack and ransom note. The software vendor had a copy of the ransom note, and when OAG presented the evidence to Westend Dental, Dr. Rana confirmed that there had been a ransomware attack. OAG then initiated a broader investigation to assess compliance with the HIPAA Rules and uncovered multiple compliance failures.
The ransomware attack was conducted by the Medusa Locker ransomware group, which gained access to a server at Arlington Westend Dental and encrypted files. The server contained the records of around 450 patients of the practice. In total, across all practices, Westend Dental had around 17,000 patients at the time of the attack, all of whom may have been affected. It was not possible to tell whether that was the case as the ransomware attack was not investigated by Westend Dental.
There was no investigation to determine the initial access vector, which meant the ransomware group may have been able to continue to access its servers. Multiple servers may have been compromised because the compromised Arlington Westend Dental server had a plain text file containing usernames and passwords, and the same username and password were used for all Westend Dental servers and an SQL database containing patient data.
There was no monitoring system in place for tracking who accessed patients protected health information, servers were located in areas where there were no physical safeguards, password policies had not been set until at least January 2024, there was no evidence that a HIPAA-compliant risk analysis had been conducted, and while data had been backed up, the backups were incomplete and did not include all protected health information.
The dental practices had responded to social media posts and impermissibly disclosed patientsโ protected health information, there was no notice of privacy practices on its website, and HIPAA training had not been provided to staff members, including to Dr. Rana, the HIPAA Privacy and Security Officer. There was also no official designation of Dr. Rana as the HIPAA Privacy and Security Officer.
There was no business associate agreement with Kunal Rana or his company, despite having access to patient information. Westend Dental also tried to cover up the data breach and failed to report it, did not issue individual notifications, or a media notice.
AG Rokita alleged these failures violated the HIPAA Security Rule, HIPAA Privacy Rule, HIPAA Breach Notification Rule, the Indiana Deceptive Consumer Sales Act, and the Indiana Disclosure of Security Breach Act. The consent order includes a fine of $350,000 and the adoption of a corrective action plan to address all areas of non-compliance with federal and state laws, plus notifications must be issued to all 17,000 patients potentially affected by the data breach.