Cyber Incident Victim: Dental Health Management Solutions
Date:
Jul 2021
Location:
United States of America
Summary
Dental Health Management Solutions experienced a network intrusion compromising sensitive patient data, including names, addresses, medical and insurance details, financial information, and Social Security numbers. The breach affected 3,205 individuals, with the organization responding by enhancing security measures such as password changes and multifactor authentication. Affected individuals were offered credit monitoring and identity protection services. Notably, notifications were delayed significantly beyond the regulatory requirement, though specific reasons for the delay weren't provided in the announcement.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Dental Health Management Solutions (DHMS), a Cedar Park, Texas-based provider of dental services to government/military and private patients, experienced a network intrusion that compromised protected health information. The breach occurred on or around July 17, 2021, though DHMS did not detect the unauthorized network access until August 20, 2021. A subsequent forensic investigation confirmed both the intrusion date and the scope of data exposure. The organization conducted a comprehensive review of all potentially accessed files, determining that 3,205 individuals had their sensitive information exposed. The compromised data varied by individual but included names, addresses, medical treatment details, health insurance information, Medicaid identification numbers, driver's license information, financial account and routing numbers, and Social Security numbers. This combination of personal, medical, and financial identifiers created significant privacy risks for affected patients.
In response to the incident, DHMS implemented security enhancements including password changes and multifactor authentication across its systems. The organization began notifying affected individuals in February 2023 through letters that offered complimentary credit monitoring and identity protection services. This notification occurred approximately 18 months after breach discovery, significantly exceeding the 60-day notification timeframe required under HIPAA regulations. DHMS's legal counsel submitted the required breach notice to the Maine Attorney General but did not provide justification for the delayed patient notifications in their public disclosure. The breach exposed multiple categories of high-sensitivity data that could facilitate identity theft or financial fraud, though no specific evidence of misuse was detailed in the notification. DHMS's remediation focused on security hardening and consumer protection services without disclosing additional technical details about the attack methodology or system vulnerabilities exploited.