How to respond to a data breach in a dental practice

In dental practices, a data breach typically involves the compromise of patient information, such as personal details, medical records, or financial data. Responding to a breach can take several forms depending on the severity of the compromise to patient data. 

What is a data breach?

A data breach occurs when unauthorized individuals gain access to, acquire, or disclose protected or sensitive data without proper authorization. It involves the compromise of data, such as personal information, financial records, or intellectual property, either through malicious activities or unintentional actions. Data breaches can result from various factors, including cyberattacks, system vulnerabilities, physical theft, or insider threats. 

Related: What is a data breach?

Steps for Dental practices dealing with a data breach

1. Incident identification

Identify and document any potential breach or security incident. This can be achieved through various means, including system logs, security monitoring tools, employee reports, or suspicious activity alerts.

2. Response team formation 

Assemble a designated incident response team that includes individuals from IT, compliance, legal, and management. For small practices, this might be a single person. This team (or individual) will coordinate and execute the breach response plan. 

3. Preliminary assessment

Conduct an initial assessment to gather information about the breach. Determine the nature and scope of the incident, the type of data potentially compromised, and the potential impact on patients and dental practice.

4. Containment

Take immediate action to contain the breach and prevent further unauthorized access or disclosure of PHI. This may involve isolating affected systems, disabling compromised accounts, or implementing temporary security measures.

5. External expert involvement

Engage external experts, such as legal counsel or cybersecurity professionals experienced in HIPAA breaches, to provide guidance and support throughout the assessment and containment process.

6. Investigation and documentation

Conduct a thorough investigation into the breach to determine its root cause, the extent of the data compromised, and any vulnerabilities that allowed the breach to occur. Document the findings, actions taken, and remediation efforts.

7. Notification and reporting

Determine whether the breach meets the criteria for notification to affected individuals, the Office for Civil Rights (OCR), or other regulatory bodies. Follow the appropriate notification and reporting requirements within the specified timeframe.

8. Mitigation and assistance

Implement measures to mitigate the impact of the breach on affected individuals. This may include providing guidance on protecting personal information or assisting with identity theft resolution.

9. Documentation retention

Maintain detailed records of the breach response process, including incident reports, notifications, evidence collection, and actions taken. These records are necessary for compliance, legal purposes, and potential audits.

American Dental Association (ADA) guidelines for data breaches

The ADA provides guidelines and resources to assist dental practices in safeguarding personal health information (PHI) and protecting against cyber threats. These include

1. Administrative safeguards: The ADA recommends that dental practices develop a comprehensive security plan that outlines policies and procedures for protecting PHI. This plan should include workforce training and awareness programs to educate employees about their roles and responsibilities in safeguarding patient data. The guidelines also stress the requirement to designate a privacy and security officer to oversee compliance with privacy and security policies.
2. Technical safeguards: Dental practices are encouraged to implement technical safeguards to secure electronic PHI (ePHI). This includes using access controls like unique user IDs and passwords to limit access to authorized individuals. The ADA advises the use of encryption for transmitting ePHI over networks and recommends implementing mechanisms for audit logs, which can help track and monitor access to ePHI systems.
3. Physical safeguards: The ADA guidelines emphasize the need to protect physical access to areas where PHI is stored. This involves measures such as securing computer workstations and restricting access to storage areas that contain PHI. The guidelines also recommend implementing policies for the disposal of PHI, including shredding or permanently destroying paper records and properly wiping electronic media.
4. Risk assessments: The ADA advises dental practices to conduct regular risk assessments to identify potential vulnerabilities and evaluate the effectiveness of security measures. These assessments help identify improvement areas and develop strategies to mitigate risks. The guidelines suggest that dental practices should document their risk assessments and periodically review and update them to address emerging threats and changes in technology.

When to report to the OCR

A dental practice meeting the definition of either covered entity or business associate should report a HIPAA data breach to the Office for Civil Rights (OCR) in the following circumstances:

1. Breach of 500 or more individuals: If a data breach affects 500 or more individuals, the dental practice must report the breach to the OCR without unreasonable delay, but no later than 60 days from the discovery of the breach.
2. Breach of fewer than 500 individuals: If a data breach affects fewer than 500 individuals, the dental practice must maintain a breach log and annually submit a report to the OCR. This report should summarize all breaches that occurred during the calendar year, even if they were discovered in previous years.
3. Immediate notification: If a breach poses a significant risk of harm to individuals, the dental practice should promptly notify affected individuals, the OCR, and potentially the media. The dental practice should provide the necessary details of the breach, the steps taken to mitigate the risk, and the support offered to affected individuals.

Communicating with patients 

A HIPAA breach should be communicated to patients without unreasonable delay once the breach has been discovered and assessed. Prompt notification enables affected patients to take necessary steps to protect themselves and mitigate potential harm.

Dentists should communicate the breach with patients by preparing a clear and concise breach notification letter that includes details such as a description of the breach, types of compromised information, potential risks, and mitigation steps. This should also be personalized to each affected patient, provide clear instructions on protective actions, and use the appropriate communication method such as HIPAA compliant email. 

Incidents of dental data breaches

Notable dental-related data breaches include the Professional Dental Alliance (PDA) breach between March 31 and April 1, 2021, due to an email phishing incident. The breach did not involve patient electronic dental records or dental images, but sensitive personal information may have been present in the compromised email accounts. The breach impacted 125,760 patients across multiple states and was reported to the OCR. 

Another is the cyberattack on the ADA. The organization said it discovered the attack on April 21, 2022, when certain systems — including its Aptify email application, telephone network, and web chat — were disrupted. The IT team took the affected systems offline and began the investigation. On July 15, 2022, the ADA sent data breach notification letters to all individuals whose information was compromised in a data security incident. This indicates that personal data belonging to these individuals was exposed or accessed without authorization. Two days later, on July 17, 2022, consumer privacy attorneys and data breach lawyers established online portals specifically for the victims of the breach.

Related: Do dentists need to comply with HIPAA?