Dental office agrees to pay state $350K after data breach, privacy investigation

An Indianapolis-based dental practice has agreed to pay $350,000 and to shore up its data protection and patient privacy practices following a state investigation into a ransomware attack and unauthorized disclosure of patient information.

In a lawsuit filed Dec. 23 against Westend Dental in federal court, Indiana Attorney General Todd Rokita alleged that an online attack in October 2020 exposed patients’ protected health information. The attorney general accused Westend Dental of failing to report the breach within time limits and attempting to cover up and deny the incident.

Under a proposed settlement agreement, Westend Dental would not admit to violating any laws.

“The consent judgment is pending review and approval by the judge,” Josh DeFonce, spokesperson for the Attorney General’s Office, said in an email. He said that a lawyer from the office’s consumer protection division was unavailable for comment.

Officials from Westend Dental did not respond Monday to requests for comment.

The state said the precise number of residents affected by the breach was unknown because Westend did not conduct a forensic investigation.

The state’s investigation was prompted by a Westend patient’s consumer complaint regarding an unfulfilled dental records request. During its investigation, the state discovered a ransomware attack on or around Oct. 20, 2020, that exposed patients’ personal and health information, according to the lawsuit. The state said that Westend Dental did not report the breach to the state until Oct. 28, 2022, about two years later. HIPAA, a federal law designed to protect health care privacy, requires notification within 60 days after discovery of an attack.

Ransomware is a type of cyber-attack through which the perpetrator prevents an organization’s access to its own computers or files and then demands a ransom to restore access.

Westend Dental operates six clinics in Indianapolis and Lafayette owned by Dr. Pooja Mandalia. The lawsuit said Mandalia’s spouse, Dr. Deept Rana, also a dentist, was purportedly designated as Westend Dental’s HIPAA privacy officer and HIPAA security officer. However, Rana did not receive regular HIPAA training before November 2023, the state said. A separate company called Westend Dental Management LLC is owned by Kuna Rana, Deept Rana’s brother. Kunal Rana, despite not being an employee or contractor of Westend Dental, assisted in the management of operations at all the practice locations, the lawsuit stated.

The ransomware attack happened on a server at the Westend Dental’s Arlington location, which at that time had at least 450 patients, the lawsuit said. In all, Westend Dental’s practices serve at least 17,000 patients.

According to the suit, the compromised server contained patient information including biometric information, insurance information, treatment plans and dental charts and images.

As part of the proposed settlement, Westend Dental agreed to comply with laws including HIPAA and the Indiana Disclosure of Security Breach Act. Westend Dental also agreed to implement policies and procedures for security incidents and to promptly investigate and document incidents. Other provisions of the proposed agreement include training for employees or contractors who handle protected patient information and having written policies and procedures for social media and online reviews.

According to the suit, the October 2020 attack happened when an intruder deployed ransomware on the server for Westend Dental’s Arlington location, rendering patients’ protected health information encrypted and inaccessible. The intruder then demanded payment in exchange for restoring the information.

The state alleged that Westend Dental had no system to track who had access to protected patient information at the time of the incident. Westend Dental was unable to recover patient files after the breach, according to the lawsuit.

According to cyber security expert Errol Weiss, ransomware attacks—often perpetrated by global criminal gangs—are one of the biggest online threats facing the health care sector.

“A lot of health care providers are not well protected and are not really well prepared to deal with the ransom attack,” said Weiss, chief security officer with Health-ISAC, a global nonprofit focused on cybersecurity and physical threats in the health care sector.

Weiss cited 5,559 ransomware attacks worldwide in 2023, with about 8% of those targeting the health care sector. Often, criminals demand payment in bitcoin. He said basic security practices include keeping systems up to date and patched, backing up and testing systems and using multifactor authentication for access to help prevent attacks.

“We’ve got highly motivated cybercriminals,” Weiss said, “and we’ve got poorly protected networks.”

The state said the ransomware incident prompted it to investigate Westend’s overall HIPAA compliance, resulting in the discovery of repeated improper disclosures of patients’ protected health information in public posts and replies to online patient reviews.

For example, Westend Dental replied to public Google reviews with responses containing protected health information or made social media posts with clearly visible x-rays without patient authorization, according to the lawsuit.

In response to one negative Google review in 2023, Westend Dental wrote about a specific case: “Your husband came in as an emergency because of pain and infection and wanted to have the tooth extracted … .”

The lawsuit stated such details were released without authorization.