Legislation & Litigation
,
Standards, Regulations & Compliance
2023 Hacking Incident Affected 1.9 Million Patients, Employees
A Michigan-based dental practice with 250 centers across nine states has agreed to pay $2.7 million under a preliminary settlement of a proposed consolidated class action lawsuit centered on a 2023 hacking incident and data breach that affected more than 1.9 million patients and employees.
See Also: The Healthcare CISO’s Guide to Medical IoT Security
Under the proposed settlement, which is set for final fairness hearing on Dec. 12 in a Michigan federal court, Great Expression Dental Centers has agreed to provide cash benefits to two subclasses of affected individuals: individuals whose Social Security numbers were potentially accessed or acquired by threat actors, and those whose Social Security numbers were not compromised.
Subclass members whose Social Security numbers were compromised get up to $500 for ordinary out-of-pocket losses, and up to $40 for ordinary attested time to respond to the incident. Those subclass members are also eligible for reimbursement of extraordinary losses up to $5,000 per individual for unreimbursed costs, losses or expenses that are fairly traceable to the data security incident.
To subclass members whose Social Security numbers were not affected, Great Expressions has agreed to pay claims for up to two hours of time spent responding to the data security incident at a rate of $20 per hour.
Under the settlement, Great Expressions has also agreed to improve its data security practices.
That includes implementing multifactor authentication; updating a set of centralized information security protocols, including policies for the retention and destruction of patient information; implementing a vulnerability management tool for enterprise patching; implementing endpoint detection response protection; and ensuring all workstations are encrypted.
Great Expressions reported the hacking incident on May 12, 2023, to the U.S. Department of Health and Human Services as affecting 1.92 million individuals.
An amended consolidated complaint filed against Great Expressions on May 14 said the incident compromised patient and employee information that was stored in an unencrypted, internet-accessible network environment.
Great Expressions said an “unknown actor” acquired the personally identifiable information between Feb. 17 and 22, 2023, the complaint alleged.
For former and current employees, the affected information may include names, Social Security numbers, driver’s license numbers, passport numbers, and/or bank account and routing numbers.
For former and current patients, potentially compromised information includes names, dates of birth, contact information, mailing addresses, Social Security numbers, driver’s license numbers, financial account information, and credit or debit card numbers.
Also potentially compromised were patients’ diagnosis and treatment information, medical and dental history, dental examination information, charting information, treatment plans, x-ray images, dates of service, provider names, treatment, billing records, costs of services, prescription information and health insurance information.
Under the proposed settlement, five plaintiffs also will each receive $2,500 in service awards. Attorneys representing plaintiffs and class members are slated to be paid $900,000, plus expenses up to $25,000.
The lawsuit alleges negligence by Great Expressions for failing to safeguard plaintiffs’ and class members’ sensitive information, as well as an array of other claims.
As part of the settlement agreement, Great Expressions denies any wrongdoing.
An attorney representing Great Expressions did not immediately respond to Information Security Media Group’s request for additional details about the breach and for comment about the settlement.
Great Expressions has dental centers in nine states, including Connecticut, Florida, Georgia, Michigan, Massachusetts, New York, New Jersey, Ohio, and Texas.
Other HIPAA-Related Incidents
The company’s practice in Georgia – Great Expressions Dental Centers of Georgia – was also the subject of a HIPAA “patient right of access” settlement with HHS’ Office for Civil Rights in 2022 (see: HHS Slaps 3 Dental Practices With ‘Right of Access’ Fines).
The Georgia practice agreed to pay an $80,000 financial settlement and implement a corrective action plan after becoming the subject of a November 2020 right of access complaint. A former patient said the practice refused to provide her medical records after she declined to pay a $170 “copying” fee. The federal investigation determined the practice’s copying fees were not reasonable.
Coincidentally, on Monday, HHS OCR disclosed it has hit a different dental practice with a $70,000 civil monetary penalty as the result of another HIPAA right of access dispute.
Gums Dental Care, a solo dental practice in Maryland that provides family dental care, was fined the penalty after an HHS OCR investigation into multiple complaints that Gums Dental had failed to provide a woman with timely access to her and her children’s dental records.
The penalty against Gums Dental is HHS OCR’s 50th HIPAA enforcement action in a right of access dispute case since the agency launched its right of access initiative in April 2019 (see: HHS Lowers Some HIPAA Fines).