A major data breach has recently been reported by a dental clinic operator in Texas that has affected more than 1 million individuals. JDC Healthcare Management operates 72 dental offices in Texas as Jefferson Dental & Orthodontics. JDC explained in its breach notification letters that malware was discovered on certain internal IT systems on or around August 9, 2021, and steps were immediately taken to restore its systems. Third-party forensics investigators were engaged to determine the nature and extent of the security breach, and while the investigation into the attack is ongoing, JDC said it became clear on August 13, 2021, that the individuals who accessed its IT systems viewed or exfiltrated documents that contained patient information. Those individuals had access to its systems from July 27, 2021, to August 16, 2021.
“Upon learning of this incident, we moved quickly to investigate and respond to this incident, assess the security of our systems, restore functionality to our environment, and notify potentially affected individuals,” said JDC in its breach notification letters. JDC said it has reviewed and revised its existing policies and procedures to reduce the likelihood of a further cyberattack. A detailed review of the files on the compromised parts of the system confirmed they contained information such as names, dates of birth, Social Security numbers, driver’s license numbers, clinical information, health insurance information, and financial information.
On June 14, 2021, Texas Governor Greg Abbott signed House Bill 3746 into law. The bill, which took effect on September 1, 2021, amended the data breach reporting requirements in Texas. The Bill updated the Texas Business and Commerce Code to require notifications to be sent to the Texas Attorney General about any breach of system security in which the sensitive data of 250 or more Texas residents was exposed. Data breach laws in Texas also require individuals notifications to be sent to affected consumers. The notifications are required within 60 days of the discovery of the breach.
Texas is one of several states to have updated its breach notification requirements in recent years. The lone star state joins states such as California, Maine, Massachusetts, and Vermont that now require data breaches to be made public by the state attorney general. Texas law only requires the data breach notifications to be made public on the Texas Attorney General’s website for 12 months.
The breach notice published by the Texas Attorney General indicates the information of 1,026,820 Texas residents has potentially been affected. In this case, since the breach affected an entity covered by the federal Health Insurance Portability and Accountability Act (HIPAA), notifications are also required under the HIPAA Breach Notification Rule, within 60 days of the discovery of the breach. At the time of writing, the incident has yet to appear on the HHS’ Office for Civil Rights breach portal – a requirement of the HITECH Act – so it is unclear if any individuals outside of Texas have also been affected.
JDC said it started notifying affected individuals in January 2022, almost 5 months after the data breach was detected.