Lee SlatonBy Lee Slaton, Vice President of Healthcare; Smart Training

A breach report submitted to the U.S. Department of Health & Human Services (HHS) Office for Civil Rights shows that 1,004,304 patients have been affected by the Dental Care Alliance incident. Dental Care Alliance is a Sarasota, Florida-based Dental Support Organization (DSO) with more than 320 affiliated dental practices across 20 states.

Approximately 30 of those affiliated dental practices are located here in Texas.

It was hacked on Sept. 18, 2020; and the breach was detected Oct. 11 and contained two days later. The protected health information (PHI) of more than a million individuals has potentially been compromised. The breach notification letters sent to the affected patients did not provide further information on the nature of the attack.

In a breach notification submitted to the Maine Attorney General’s office, the DSO indicated that some patient information was acquired by the hackers, such as patient names in combination with financial account numbers. Approximately 100,000 of the affected patients had their financial account number exposed, according to the report.

This might sound like piling on to some of you, since we reviewed a similar situation in last month’s compliance article. Some might be reading this and thinking, “That’s a big DSO, and what happened to them is unlikely to happen to my small practice.” Perhaps.

But how many of you practice owners are outsourcing different business functions of your practice to outside firms? Does that outsourcing involve patient data? If so, don’t keep your head in the sand.

How the firms you share your patients’ PHI with safeguard your patients’ data is of paramount importance to you. If you and/or one of your business associates are neglectful in how that PHI is handled, it could literally cost you your practice. In the case of Dental Care Alliance, this breach is going to cost them millions of dollars to rectify; not to mention rupture trust between them, the practices they support and the patients they serve.

Smart Training’s compliance advisors encounter practice owners every week who have their heads in the sand when it comes to the unacknowledged and unprepared-for risk to their livelihood that data breaches pose. Dealing with business associate agreements (BAA)s isn’t rocket science, but BAAs do need to be properly prepared and executed. A boilerplate form with blanks usually won’t suffice for a BAA.

Not sure if your practice is properly protected? Smart Training’s certified HIPAA professional  created hundreds of custom BAAs for its clients. Compliance and risk management isn’t a sideline for Smart Training; it’s all it does. It’s conducted over 1,500 inspections of dental practices across the country. Put the advantage of its experience to work for your practice.