[BreachExchange] 'Official Dentist' of NBA Team Says Hack Affected 1 Million

[Terrell Byrd]

https://www.inforisktoday.com/official-dentist-nba-team-says-hack-affected-1-million-a-18770

A Texas dental and orthodontic practice that has 70 offices in the state
and boasts of being "the official dentist" of a National Basketball
Association team is notifying more than 1 million individuals of a 2021
malware incident involving patient information being viewed and copied by
attackers.

Dallas-based JDC Healthcare Management, which operates under the name
Jefferson Dental & Orthodontics and says on its website that it is the
"official dentist" of the NBA team the Dallas Mavericks, reported on
Thursday to the Texas attorney general's office that personal and health
information of nearly 1.03 million Texans had been affected in the
incident, which was discovered last summer.

Breach Details
In a breach notification statement, JDC says that on or about Aug. 9, 2021,
it became aware of a malware incident affecting certain company systems.

"JDC immediately worked to restore its systems and launched an
investigation, with assistance from third-party computer forensic
specialists, to determine the nature and scope of the incident."

On Aug. 13, 2021, JDC determined that certain documents stored within its
environment had been copied from or viewed on the system as part of the
cyber incident occurring between July 27 and Aug. 16, 2021. "While to date,
the investigation has found no evidence of actual or attempted misuse of
data, we are making our community aware in an abundance of caution," JDC
says.

Information affected in the incident includes names, addresses, Social
Security numbers, driver’s license numbers, government ID numbers - such as
passports and state IDs, medical information, health insurance information
and financial information, including credit or debit card numbers.

In its breach notification statement, JDC says that upon learning of the
incident, the entity "moved quickly" to investigate and respond, assess the
security of its systems and restore functionality to its environment.

"As part of JDC’s ongoing commitment to the security of information, JDC is
reviewing and enhancing existing policies and procedures to reduce the
likelihood of a similar future event and has reported this incident to law
enforcement."

JDC did not immediately respond to Information Security Media Group's
request for additional information about the incident, including whether it
involved ransomware.

Federal Breach Reporting
While JDC reported to Texas regulators that its breach had affected more
than 1 million, the entity reported that same breach to federal regulators
on Oct. 7, 2021 as a hacking/IT incident involving a network server and
affecting only 501 individuals, according to the Department of Health and
Human Services' Office for Civil Rights' HIPAA Breach Reporting Tool
website. That website lists health data breaches affecting 500 or more
individuals.

Some experts note that occasionally covered entities will initially report
to HHS OCR what the organization anticipates is a major HIPAA breach as
affecting only about 500 individuals, before the exact number of affected
individuals is determined.

But "501 to 1.3 million is a big delta," says attorney Andrew Mahler, vice
president of privacy and compliance at privacy and security consulting firm
CynergisTek.

"I think most organizations try to make their best estimate of the exposure
when they report and err on the side of reporting more rather than less so
as not to place victims at greater risk. By saying only 501 for several
months, when the number was far larger, those individuals were exposed
potentially to greater risk," he says.

Also, whether a protected health information breach report needs updating
"by a lot or a little," organizations should take care to confirm that the
reporting and notification are accurate and complete, says Mahler, who is a
former HHS OCR investigator.

"If corrections need to be made after the report is submitted, OCR allows
organizations to update or correct previous reporting - whether the breach
affected 500 or more or fewer than 500 individuals - through adding an
addendum via OCR’s website," he adds.

Privacy attorney David Holtzman of the consulting firm HITprivacy offers a
similar assessment. "It is not unusual for a large or complex breach to
require several months of investigation to determine the precise number of
individuals whose PHI was compromised," he says.

"Examples would be when paper-based files are put into the waste stream
with regular office trash or a healthcare organization has not conducted an
inventory of its electronic files or performed regular and periodic backups
of its data," he says.

Under those circumstances, the covered entity should make a timely report
of a breach to OCR and other regulatory agencies with the information
available at the time of making the notice.

If a covered entity discovers additional information that modifies a
previously submitted notice, it should submit an additional breach form on
HHS OCR's portal used for reporting a breach, says Holtzman, who was a
senior adviser at HHS OCR.

Notifying Affected Individuals
Meanwhile, when it comes to breach notification statements, "the
appropriate language to use - if the exact number of individuals is unknown
- is 'a breach involving at least 500 people; however, we have not been
able to ascertain the total number of individuals affected. We have
employed a forensic team and are in the process of determining a more
accurate number,'" says regulatory attorney Rachel Rose.

"While initially there may be less attention given to a breach because of
the number of individuals affected, the harm in the long run could be more
problematic," she says.

Also, entities should consider that when a notice is submitted to either a
federal or state government agency, there is an attestation that the
submission is true and accurate to the best of the individual's knowledge,
she says.

Red Flags
Besides the disparity in the number of individuals JDC reported to Texas
and federal regulators as affected by the breach, there are other troubling
issues involving the entity's incident, some experts note.

"Children's' [dental and orthodontic] records were involved, which is even
more disconcerting because of the other crimes which are perpetrated
against children," Rose says.

As for the JDC breach potentially compromising records of Dallas Maverick
players who are patients of the practice, Rose says: "In social engineering
terms, targets such as professional sports figures are termed 'whale
fishing' because they are big targets with deep pockets."

There is always a heightened propensity for individuals - including
insiders - to access the medical records of celebrities and public figures
for a variety of different reasons, she says.

"The best approach is to have limited access to these individuals' records,
which is accomplished by having role-based access and audit logs."

Many organization also take additional steps to protect what they consider
VIP patients, including implanting certain electronic health record
controls and conducting staff training, says Mac McMillan, CEO of
CynergisTek.

"It is absolutely the case that patients of notoriety create interest for
those who treat them - particularly those who advertise it, as JDC has done
- or who are located near public or prominent organizations, be it sports,
government, theatre," he says.

McMillan adds that the bottom line is: "Right now, all of healthcare is at
great risk."

The Dallas Mavericks did not immediately respond to ISMG's request for
comment, including whether any of its team members had been notified that
their health and personal information was potentially compromised in the
JDC incident.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220322/64d1f206/attachment.html>