Ransomware Attack Suffered by Seller of Dental Center of Northwest Ohio

January 3, 2019


Notifications are being sent to current and ex-patients of the Dental Center of Northwest Ohio in Toledo to instruct them that some of their protected health information might have been disclosed because of a ransomware attack on one of its sellers.

Managed IT service provider, Arakyta, contacted with the dental center on September 1, 2018, to make them aware that a safety breach on a server hosting some dental center systems. With the assistance of third-party computer experts, the dental center realized on November 7, 2018, that an unknown, illegal person had logged on to the server and had possibly seen or copied patient data.

No proof of data theft was found and no reports have been received from patients to suggest any protected health information was stolen and wrongly used. Nevertheless, as it was not possible to disregard data theft with a high level of confidence, measures were put in place to issue notification alerts to patients and to provide them with complimentary credit checking and identity theft restoration facilities.

The variety of data possibly seen/copied by the attacker included full names, health insurance information, patient identification numbers, medical records, clinical history, treatment information, diagnosis records, medical histories, state identification numbers, driver’s license details, Social Security numbers, dates of birth, home addresses, benefit information, and financial data.

The dental center and Arakyta, individually, had safety measures applied to avoid illegal data access, but those safety measures didn’t obstruct the hacker. The company has since amended its plans that deal with the secrecy and safety of patient data and has put in place additional safety measures to eliminate further breaches of protected health information.

The Division of Health and Human Services’ Office for Civil Rights (OCR) and other applicable authorities have been made aware of the breach.  Nevertheless, the breach summary has yet to be added to the OCR online breach portal, and as such there are no particulars available regarding the number of patients that have been affected.