Sign in Subscribe

Westend Dental’s HIPAA Hail Mary: A Comedy of Errors (and Hard Drives)

Westend Dental’s HIPAA Hail Mary: A Comedy of Errors (and Hard Drives)

When it comes to dental hygiene, Westend Dental LLC is a name you might trust with your pearly whites. But when it comes to safeguarding patient data? Well, let’s just say you’d be better off hiding your health records under your mattress.

In what might be the most spectacular attempt at gaslighting in healthcare history, Westend Dental tried to convince everyone that a ransomware attack in 2020 wasn’t actually a breach of sensitive patient information but merely the result of an “accidentally formatted hard drive.”

Unfortunately for them, not even their floss-thin excuse could hold up under scrutiny.

The Great Dental Debacle

Here’s what really happened: in October 2020, Westend Dental fell victim to the Medusa Locker ransomware group. For those unfamiliar, Medusa Locker isn’t just your run-of-the-mill ransomware—it’s the varsity team of cyber extortion, employing double extortion tactics that encrypt your data while simultaneously threatening to leak it. Because nothing says “professional dentistry” like hackers waving your x-rays and billing records in your face.

Westend Dental, in its infinite wisdom, opted not to report the attack as required by HIPAA regulations. Instead, they went with the bold strategy of ignoring it entirely and hoped everyone else would too. Spoiler alert: that didn’t work.

From Ransomware to Ridiculous Excuses

Fast forward two years to October 2022, when Westend Dental finally submitted a breach notification to the State of Indiana. The excuse? An “accidentally formatted hard drive.” Right. Because everyone knows hard drives format themselves all the time, especially during ransomware attacks.

It wasn’t until a frustrated patient complained about not receiving their dental records that the Indiana Office of Inspector General (OIG) started digging deeper. What they uncovered was less of a data breach and more of a full-blown data apocalypse.

HIPAA: What’s That?

The investigation revealed that Westend Dental’s approach to HIPAA compliance was more “wild west” than “regulatory gold standard.” Here’s a sampling of their greatest hits:

  • No HIPAA Training: Employees weren’t trained on HIPAA policies until November 2023. That’s three years after the attack. Maybe they were waiting for a YouTube tutorial to drop?
  • Password Protocols? What Password Protocols?: Every server containing protected health information (PHI) used the same username and password. That’s like locking your doors and hiding the key under a “KEY HERE” doormat.
  • Servers in Bathrooms: Some servers were reportedly located in break rooms and bathrooms. Because nothing screams “secure data storage” like your patient files sitting next to the air freshener.
  • No Risk Analysis: Apparently, no one thought to analyze the risks of listing usernames and passwords in plain text on a compromised server. Shocking.

Who Was Affected?

Since Westend Dental didn’t bother conducting a forensic investigation, the exact number of patients affected remains a mystery. What we do know is that the company served around 17,000 patients at the time. That’s a lot of people who might now be wondering if their dental history is floating around on the dark web.

And if you thought the incompetence ended there, think again. The company’s third-party backups were incomplete, which meant they couldn’t even inform patients about the breach. It’s like losing your keys and then realizing you never made a spare.

The (Inevitable) Consequences

After their laundry list of HIPAA violations came to light, Westend Dental finally faced the music in the form of a $350,000 settlement. While that might seem steep, it’s probably a bargain considering the scale of their negligence.

The company has since promised to improve its data security practices, though at this point, one can only hope they’ve at least moved the servers out of the bathroom.

Lessons Learned (or Not)

Westend Dental’s tale is a masterclass in how not to handle cybersecurity. From denying the breach to their laughably lax approach to HIPAA compliance, this saga is equal parts cautionary tale and sitcom material.

For the rest of us, let this be a reminder: when someone claims they “accidentally formatted a hard drive,” always ask for receipts. Especially if that someone is also responsible for your root canals.

Comments ()