
Email accounts were accessed after a business associate’s employees responded to phishing emails
In what’s becoming a sad yet familiar tale, a network of dental practices affiliated with North American Dental Group has notified over 170,000 patients, including over 4,200 patients in Texas, that some of their PHI was stored in email accounts that were accessed by an unauthorized individual between March 31 and April 1, 2021.
Professional Dental Alliance says the breach occurred at its vendor, North American Dental Management. The ensuing investigation revealed several email accounts were accessed by an unauthorized individual after employees responded to phishing emails.
Hit the pause button for a second and ask yourself three extremely important questions, no matter the size of your practice:
- Has your practice’s privacy officer conducted a HIPAA Risk Assessment in the past twelve months? If so, that will answer the next two questions.
- Do you have signed business associate agreements (BAA) with all your vendors who have access to your patients’ PHI?
- Has your staff all completed recent training in safeguarding PHI and how to recognize phishing attacks?
If you can’t answer these three questions in the affirmative, your practice and your financial legacy are at serious risk.
While the investigation of the breach described above uncovered no evidence of attempted or actual misuse of patient data (yet), it confirmed the email accounts contained protected health information such as names, addresses, email addresses, phone numbers, insurance information, Social Security numbers, dental information, and/or financial information.
Affected individuals have been advised to exercise caution and review their credit reports and account statements and be on the lookout for signs of misuse of their data. Professional Dental Alliance says affected individuals are being offered complimentary membership to credit monitoring and identity theft protection services for two years.
As my college coach used to preach after a player made a mental mistake on a simple assignment, “Guys, it’s basic blocking and tackling! If you can’t execute the basics, how can your teammates trust you to do your job when a sophisticated defensive scheme or offensive audible at the line of scrimmage is called?” The same question holds true at dental practices. Dentistry is infinitely more sophisticated than it was even ten years ago. Yet, if your patients suffer from bone-headed mistakes on the simple stuff like protecting their health information and leave your practice because of them, all the newest techniques you learned to apply to your craft won’t mean much.