Smiles Direct, an Irvine, California-based provider of support services for dental offices, discovered the breach on April 24, 2021, one day after cybercriminals accessed parts of their system.
The initial report to HHS Office for Civil Rights (OCR) in October 2021 indicated that only 1,200 individuals were affected. That report was later revised upward to 199,683 individuals.
According to the HIPAA Breach Notification Rule, breaches affecting 500 or more individuals must be reported to the HHS Secretary within 60 days of discovery. Exceptions to the rule are provided in cases where the companies are cooperating with law enforcement investigation efforts.
On April 12, 2022, the company updated the Maine Attorney General to inform them that the PHI of 2,592,494 individuals had potentially been compromised.
The company said they have offered affected parties a complimentary 12-month membership to a credit monitoring service, including a $1 million identity theft insurance policy.