Jefferson Dental Center, a South Bend, Indiana dental practice operated by Dr. Lorraine Celis, experienced a ransomware attack on November 15, 2024. Details of the ransomware attack that exposed PHI, and that may have resulted in unauthorized parties obtaining protected health information, are provided below.
Ransomware Attack That Exposed PHI: The Facts
Jefferson Dental has posted a legally required substitute breach notification on its webpage.
In its notification, Jefferson Dental states that it discovered, on November 15, 2024, that its computer network systems were not working. According to the notification, Jefferson Dental, upon inspection, determined that it was the victim of a ransomware attack. The notification states that Jefferson Dental immediately took steps to stop and mitigate the attack.
In its notification, Jefferson Dental states that it discovered that it conducted an investigation of the incident, and determined that the unauthorized access occurred on or around November 14th, 2024, by an undetected, unauthorized user.
Jefferson Dental states in the notification that “Sensitive information may have been inappropriately accessed and/or obtained before ransomware encryption occurred to our network on November 15, 2024.”
Jefferson Dental states that information accessed without authorization may include personal identifying information, including health information of patients of Jefferson Dental Center. Information involved may have included patient files and other records stored on the affected shares including one or more of the following types of information: demographic information (such as names, social security numbers, addresses, driver’s license numbers and date of birth), clinical and treatment information and information related to insurance or claim information. Some of this data may also include related subscribers or guarantors who paid bills for healthcare services of others.”
Patient files, clinical and treatment information, and information related to insurance or claim information, constitute electronic protected health information (ePHI) under the Health Insurance Portability and Accountability Act (HIPAA). The demographic information, including the names, social security numbers, addresses, driver license numbers, and birthdates, may also constitute ePHI.
Jefferson Dental, as required by law, reported the incident to the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) breach portal on November 27. In its report, Jefferson Dental listed the number of affected individuals as 12,340
Ransomware Attack That Exposed PHI: Jefferson Dental’s Response
Jefferson Dental stated in its notification that it has notified the Indiana Attorney General’s office and federal law enforcement of the incident. Jefferson Dental has also notified patients that they may place an initial or extended fraud alert on their credit files at no cost.
How Compliancy Group Can Help
Healthcare organizations that use Compliancy Group’s healthcare compliance tracking software, the Guard, are better equipped to prevent, manage, and recover from security incidents.
Our software enables organizations to:
- Conduct an accurate and thorough risk analysis to identify risks and vulnerabilities to ePHI.
- Mitigate risk through a risk management plan.Develop policies and procedures through templates that include limiting access to, tracking access of, and reporting access to ePHI.
