Cyber Incident Victim: Smith Dental

Smith Dental, a dental practice in Tennessee, experienced a ransomware attack targeting its internal computer servers in November 2017. The incident was reported to the U.S. Department of Health and Human Services (HHS) on January 22, 2023, over five years after the attack occurred. The HHS breach report classified the event as a hacking/IT incident affecting approximately 1,500 patients. While the practice stated it found no evidence that protected health information was accessed, copied, or distributed, it acknowledged the potential compromise of clinical, demographic, and financial information belonging to patients. The delayed notification timeline and absence of immediate public disclosure raised questions about incident response protocols.

The practice eventually posted a notice on its website's About section, though the exact publication date remained unclear as of February 2023. This notice advised patients to consider securing their credit profiles or enrolling in commercial credit monitoring services, shifting responsibility for protective measures to affected individuals. Smith Dental provided a dedicated phone number (877-480-0566) for patient inquiries but did not confirm whether formal breach notification letters were mailed to impacted individuals. The practice implemented additional physical and technical safeguards following the attack, expressing confidence in preventing future incidents. Multiple attempts by media outlets to obtain clarification regarding notification methods and mitigation support received no substantive response beyond automated acknowledgments.