Note: This is an ongoing case. We will update this post as more information becomes available.
A tentative settlement between plaintiffs and Dental Care Alliance, LLC. (DCA), of Florida over a ransomware data breach in 2020 is expected to cost the defendant a whopping $3 million. Plaintiff(s) and the defendant agreed to negotiate the settlement out of court, with the court’s permission, in November 2021. If the negotiated settlement stands, the case is expected to be finalized in September of 2022 but could be reopened if not.
The information on the Department of Health and Human Services Office of Civil Rights (OCR) breach portal shows that DCA reported on December 8, 2020, that the breach had occurred and that the electronic personal health information (ePHI) of over 1.7 million individuals had been affected.
As a medical provider vendor (business associate) for over 300 dental practices, DCA must comply with the Health Insurance Portability and Accountability Act (HIPAA) of 2009. This means they must meet minimum standards to secure the ePHI of the organizations they serve.
Timeline:
These are the dates of the major events in this case:
The data breach occurred in September/October 2020. DCA notified the Office of Civil Rights (OCR) on December 08, 2020. A lawsuit was filed on January 06, 2021. An amended complaint was filed on May 14, 2021. On December 07, 2021, the court ordered the case to be administratively closed to allow the parties to finalize a settlement. On January 07, 2022, the parties jointly agreed that the case should be dismissed without prejudice. Presumably, this means that they did reach a settlement. The court is expected to rule on the parties’ agreement to close the case in September of 2022.
DCA-Who they are and what they do:
DCA supports many dental specialties, including pediatrics, orthodontics, and oral surgery. Their support can include cleaning and sterilization services, patient monitoring, training, and office support. Communications with staff and patients are part of their catalog as well.
As a provider of services and personnel to multiple dental health providers, in some cases being included in access to patient PII and ePHI, DCA is considered a business associate of these providers.
OCR-What is it?
The Office of Civil Rights,(OCR) is the enforcement arm of the office of Health and Human Services (HHS) when it comes to HIPAA. The OCR is responsible for looking into any breach that health care providers report. They also investigate complaints made to their offices but only publish those that affect 500 or more individuals. Part of that responsibility includes levying financial and/or criminal penalties against those responsible for the data security of the clients, patients, or employees at the provider or Business Associate (BA).
HIPAA doesn’t directly contain a civil cause of action within the statute. However, depending on the facts of the case, a civil suit can be filed for losses (past and future) that a victim may have been subject to. In the case of the DCA breach, this is what happened.
HIPAA/OCR Actions:
On December 8 of 2020, Dental Care Alliance (DCA), based out of Florida, notified HHS, affected patients/personnel, and the media that it had been the target of a breach, which was later reported as a ransomware attack that lasted approximately one month. During that time, a third-party threat actor apparently accessed the data of at least 1.7 million patients and employees. The breach resulted in a civil settlement agreement between the plaintiffs and the defendant for $3 million.
Because the breach was against a business associate to health care providers, DCA notified the Department of Health and Human Services, OCR, as required. The investigation report on the OCR Portal is archived (marked as completed). Information provided by HHS states that DCA has moved to retrain its employees and implement safeguards related to data protection. There was no mention of penalties levied against DCA by HHS.
The Civil Suit:
A civil suit was filed on January 06, 2021, in order to force DCA to compensate victims of the breach for losses. There didn’t appear to have been any efforts made by DCA to pay for damages related to the unauthorized use of personal information, potential credit fraud, and attempts to garner more personal data from the plaintiffs after the fact.
Several plaintiffs have had to research identity protection and insurance on their own and spend considerable time monitoring their accounts for fraud.
Some plaintiffs still have yet to be informed that their information was impacted.
At least one complainant has had unemployment compensation redirected several times, causing them to deal with the fallout from that.
The amended complaint, NIKI PARA, REGINA ROSARIO VS.DENTAL CARE ALLIANCE, LLC, claimed that DCA was liable for damages based on alleged reckless handling and storage of patient data. The suit further claims that this breach could have been avoided with reasonable cybersecurity measures had they been used at the time.
In the complaint, the plaintiffs allege that personally identifiable information (PII) and ePHI both were compromised in the breach, including:
- Names, addresses, diagnoses, bank accounts
- Social Security numbers, dates of birth, and financial account numbers
It is also asserted that “adequate and reasonable cybersecurity procedures and protocols” were not used to protect the above information allowing the threat actor(s) to access this sensitive information.
The plaintiffs believe that DCA could have prevented a breach of this type if they had maintained a higher level of cybersecurity. This lack of appropriate measures may have led to the success of the ransomware attack against DCA, causing a breach that lead to personal and financial problems for those affected.
The settlement between the parties in the case allows varying payments to those affected, based on the information accessed and any fraudulent financial transactions that might occur, up to $5000 per individual. It also includes two free years of notification, monitoring, and identity theft insurance from Identity Guard.
What should you do?
Protecting your organization’s interests is good practice as a provider or a BA. Your goal is to maximize profits while providing services to your clients or patients. Maintaining HIPAA compliance AND cybersecurity protections at the appropriate level is a necessity.
For those patients and employees who may have been affected by this particular breach, it is recommended that you check to see if your dental care provider was one of those involved in the DCA breach. If so, you can file a claim for free protection with Identity Guard and any payments due to you.
It would also be a good idea to check your credit score, any dental or medical providers you use, and financial accounts to ensure they have not been used without your knowledge or consent. In some states, verifying your credit report through the three credit agencies is free.
Northstarr Recommendations
Northstarr System Solutions provides both compliance and cybersecurity, as well as managed IT and other services to our customers based on their needs and requirements. A good start is to discover your present cybersecurity and compliance levels and then work to improve and enhance them. We can help you from start to finish, from data classification to training your staff in cybersecurity best practices and awareness.
To find out more about how we can help, visit our website or give us a call at (888) 767-2210 to set up an appointment. We look forward to meeting with you!
