A dental practice in Indiana has agreed to a proposed agreement to settle allegations posed by the state that it failed to report and tried to conceal a ransomware attack that exposed patient personal data, according to court documents.
Westend Dental in Indianapolis signed a proposed consent order requiring it to pay $350,000 to Indiana and beef up its data protection and patient privacy practices and ensure employees and contractors have appropriate training. Westend did not admit to any wrongdoing and a judge will need to approve the settlement agreement.
In a lawsuit filed on December 23 by Indiana Attorney General Todd Rokita, Westend Dental is accused of being hit with an online attack in October 2020 that exposed patients' protected health information. Westend operates six clinics in Indiana, which treat about 17,000 patients.
Westend Dental is accused of failing to report the breach within the required time limits, attempting to cover it up, and denying the incident. The specific number of patients affected by the breach remains unknown because the practice failed to conduct a forensic investigation, according to the lawsuit.
The state attorney general began investigating the incident after receiving a consumer complaint regarding an unfulfilled request for dental records. During the investigation, it was discovered that the practice was struck by a ransomware attack on or around October 20, 2020, which exposed patients' personal and health information. Westend Dental purportedly did not report the incident until more than two years later on October 28, 2022, according to the lawsuit. HIPAA requires notification within 60 days of discovering a cybersecurity attack.
Dr. Deept Rana, a dentist and the spouse of the owner, Dr. Pooja Mandalia, was purportedly designated as Westend Dental's HIPAA privacy officer and HIPAA security officer. However, Rana reportedly failed to receive regular HIPAA training before November 2023.
The incident occurred on a server that included patient insurance information, treatment plans, and images, at Westend's practice in Arlington, IN. The attack left patients' protected health information encrypted and inaccessible, and the hackers refused to reverse it until a ransom payment was made, according to the lawsuit.
At the time of the attack, Westend Dental allegedly had no system to track who had access to protected patient information. After the breach, Westend Dental couldn't recover patient files, according to the suit.
The attack triggered the state to investigate Westend's overall HIPAA compliance. The investigation resulted in the state finding repeated improper disclosures of patients' protected health information in response to online patient reviews.
%20nov7.3oLpzv9fRI.jpg?crop=focalpoint&fit=crop&fp-x=0.5&fp-y=0.5&h=100&w=100&auto=format%2Ccompress&q=70)
%20nov7.3oLpzv9fRI.jpg?crop=focalpoint&fit=crop&fp-x=0.5&fp-y=0.5&h=167&w=250&auto=format%2Ccompress&q=70)
