Photos by Mikhail Nilov and Marcus Spiske from Pexels

An Irvine, California-based DSO with over 100 locations in Texas recently provided an update on the number of individuals affected by a ransomware attack that occurred last year.
On April 24, 2021, attackers gained access to parts of Smile Brands’ system that contained individuals’ protected health information; including names, addresses, telephone numbers, dates of birth, Social Security numbers, financial information, government-issued ID numbers, and health information.
The breach was initially reported as affecting “only” 1,200 patients. But in the latest update to the Maine attorney general, the number was reported as 2,592,494. Smile Brands said affected individuals were offered a complimentary 12-month membership to a credit monitoring service, which includes identity-theft assistance services and a $1 million identity-theft insurance policy.
While you probably don’t have 2.6 million patient records in your practice, risk exposure doesn’t change in a linear fashion. Sure, big firms attract hackers—but small practices do as well, albeit for a different reason: small practices are typically not as well protected against PHI theft.
According to Coveware, a ransomware incident response firm, the average ransom payment in ransomware attacks fell by 34% in Q1, 2022, from an all-time high in Q4, 2021. The average ransom payment in Q1, 2022 was $211,259, and the median ransom payment was $73,906. Coveware suggests ransomware gangs have been targeting smaller organizations and issuing lower ransom demands due to increased scrutiny by law enforcement on attacks conducted on large enterprises.
As we’ve reviewed before, there are several pathways that PHI thieves have to your patients’ PHI: physical theft, electronic intrusion, and skimming. At Smart Training, our HIPAA specialists are still encountering practices every week that:
- Don’t offer regular training to their staff on protecting PHI.
- Have never designated a knowledgeable staff person to serve as their practice’s privacy officer.
- Have never conducted a HIPAA risk assessment to determine where their vulnerabilities lie.
Addressing those three items won’t guarantee you never suffer a data breach. But, by taking those steps, you’re giving you and your practice the best opportunity to survive when a data breach does occur.