Brace Yourself: 9 Examples of Dental HIPAA Violations

DentalHIPAAViolations_320.jpg

The Health Insurance Portability and Accountability Act (HIPAA) requires standards to protect patients’ health information so that it isn’t disclosed without proper consent. Improper disclosure can happen for many reasons, resulting in a reportable violation. 

Sometimes human error causes these violations. Workforce members may intentionally share PHI, send data to the wrong individual, or improperly dispose of PHI. Other times, breaches occur when hackers find and exploit cybersecurity vulnerabilities.

Dental practices have had their share of violations. Some of these breaches resulted from intentional actions, but others were out of the practices’ control.

Here are nine examples of dentists and dental practices that suffered HIPAA breaches.

Table of Contents

Anchorage, Alaska Dentist

Alaskan dentist Dr. Seth Lookhart performed a tooth extraction on a sedated patient while riding a hoverboard. The dentist had the extraction filmed, then sent the video to several people. He joked that performing oral surgery while on a hoverboard was the “new standard of care.”

The patient said she didn’t consent to the filming of the procedure, so Lookhart violated her privacy by both the filming and sending the video. She also did not consent to have her tooth taken out while the dentist was on a hoverboard.

The state filed a lawsuit that charged Lookhart with “unlawful dental acts.” He was also found guilty for committing medical assistance fraud for billing Medicaid for procedures that were unnecessary or not justified. The case led to Lookhart’s conviction on 46 felony and misdemeanor counts. The judge scheduled sentencing for April 30, 2020.

Elite Dental Associates

A patient submitted a complaint to the Office for Civil Rights (OCR) against Elite Dental Associates after an incident on the business review platform Yelp. The practice responded to a review by disclosing the reviewer’s last name and details about their health condition. 

Through an investigation, the OCR found that this wasn’t the first time the practice violated patient data. Elite had disclosed protected health information (PHI) of other patients in response to reviews on its Yelp page. Not only did Elite violate patient privacy, but they also didn’t have a Notice of Privacy Practices that complied with the HIPAA Privacy Rule. 

Elite received a fine due to the several violations. The practice paid $10,000 to settle their improper disclosures of PHI. This fine was substantially low since each violation could have been up to $50,000. With several previous uncorrected violations, Elite might have faced a fine as much as $1.5 million.

But OCR accepted the low settlement because of Elite’s size, financial circumstances, and cooperation. Elite also had to adopt a corrective action plan to settle the violations. This includes two years of monitoring by the OCR for compliance with HIPAA regulations.

Canyon Ridge Endodontics

In August 2019, a patient posted a harsh review on Yelp about a dental procedure she received. This prompted a backlash from the doctor.

The endodontist responded to the claims with the patient’s specific dental history details and procedures since 2013. The doctor’s goal was to prove that the patient’s dental problems were not his fault.

An anonymous tipster filed a complaint with the Arizona State Board of Dental Examiners, worried that the information violated HIPAA. The doctor wrote in his response that since the patient put her grievances online, she had forfeited her right to confidentiality.

An outside attorney who was not involved in the case said that this is not how it works. If a patient posts a comment about a provider, it doesn’t give the provider permission to disclose any PHI.

Key Dental Group

When the Florida-based Key Dental Group switched providers, it requested its former vendor to return its EMR database. The end-user license agreement (EULA) stated that the vendor must return all patient data after the termination of the agreement. But the vendor refused.

The practice said that the vendor violated HIPAA since it was a business associate. Since the violation could’ve led to unauthorized access of PHI, the security breach required the practice to notify patients. 

Key Dental Group couldn’t access, track, or protect the database from unauthorized access after the termination of the EULA. Since there was no way to determine if there was wrongful access, it was necessary to send notifications. 

Delta Dental of Arizona

Delta Dental Arizona noticed suspicious activity with an employee’s email account in July 2019. After launching an investigation, it found that the employee fell for an email phishing attempt. An unauthorized individual gained access to the account through the scheme.

Delta Dental Arizona had no evidence of data misuse within the account, but couldn’t rule out the possibility. The practice took steps to identify all data within the compromised account so that it could notify affected individuals. 

Advantage Dental

The Oregon-based company Advantage Dental provides dental services for over 30 clinics. In 2015, it discovered that hackers used malware to access its internal computer systems over three days. 

As soon as the company detected the activity, it shut off access to the data. But Advantage Dental determined that the attackers had already access patient information. This is a reportable HIPAA breach since it exposed Social Security numbers along with names and contact information. 

Advantage Dental’s investigation determined the affected records of over 150,000 customers. The investigation found no evidence that hackers used information for criminal activity.

Digital Dental Record

The software company Digital Dental Record suffered a breach of its backup solution in August 2019. About 900 practices were using the company’s medical record backup service, DDS Safe. Hackers accessed DDS Safe through a ransomware attack on its cloud management provider, PerCSoft. 

The attack affected nearly 400 dental practices that use the DDS system. PerCSoft used a third-party software company to get a decryptor to recover the client files. Recovery time took between 30 minutes to four hours for some clients, according to DDS. For some practices, the decryption process didn’t work and they still lost files. 

Complete Technology Solutions

Complete Technology Solutions (CTS) provides IT services to dental offices. CTS suffered a ransomware attack in November 2019 that affected more than 100 dental practices’ services.

CTA declined to pay the $700,000 ransom to unlock the affected systems at all dental locations. The impact was different for all CTS clients. Some were able to use backups of their data available off-site. One dental practice received no help from its insurance and it experienced a great loss of income. 

Others had to work with outside experts to negotiate and pay the ransom only for their office. Two sources said that they received several ransom notes. Once they paid the attackers, the decryption key only unlocked some of their files. This caused them to spend more time and money to get all the keys needed to restore full access. 

Kokomo, Indiana Dentist

The Indiana Attorney General’s Office sued Dr. Joseph Beck for improper disposal of PHI. In 2011, the Indiana Board of Dentistry revoked Beck’s license for negligence and fraudulent billing. But in 2013, the dentist received a fine of $12,000 from the state. This was the first time that the state’s Attorney General’s Office sued for a HIPAA violation.

Beck had hired the data company Just the Connection Inc. to retrieve and destroy paper records from his former patients. But more than 60 boxes of the patient records ended up in the recycling dumpster of a church. The boxes contained records from 2002-2007 of almost 7,000 files from his former Comfort Dental practice. There was no reported identity theft.

Conclusion

In order to avoid exposing sensitive information to malicious attackers, dentists need to stay vigilant…

  • Employees must have proper training, so they don’t incorrectly disclose PHI. 

  • Regular risk assessments must occur to identify system vulnerabilities before a hacker does. 

  • Vendors must be thoroughly reviewed to ensure that they’re trustworthy.

Achieving all three of these preparations will ensure that you’re making the best effort to protect your patient’s privacy through security. Although data breaches may still occur due to situations outside of your control, staying prepared ensures you’re adhering to the Minimum Necessary Standard.