Cyber Incident Victim: Patterson Companies Inc
Date:
Feb 2016
Location:
United States of America
Summary
A cybersecurity incident involving unauthorized access to a third-party vendor's systems compromised sensitive information of approximately 4,300 dental patients associated with Massachusetts General Hospital. The breach occurred at Patterson Dental Supply Inc., which managed dental patient data for multiple practices, exposing names, dates of birth, Social Security numbers, and in some cases, appointment details, provider names, and medical record numbers. Law enforcement delayed public notification during their investigation, leading to disclosures approximately three months post-incident. The hospital initiated victim notifications after concluding its own review, emphasizing that its internal systems were not compromised. The incident reflects broader targeting of healthcare data by malicious actors exploiting vulnerabilities in third-party infrastructure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In February 2016, an unauthorized individual accessed electronic files on systems belonging to Patterson Dental Supply Inc., a third-party vendor providing dental patient management services to Massachusetts General Hospital and other practices. The breach compromised sensitive data of approximately 4,300 MGH dental patients, though hospital officials emphasized their own systems weren’t involved. Law enforcement investigators discovered the intrusion and required MGH to delay public disclosure until May 26, 2016, to avoid interfering with their active investigation. This three-month suppression period extended notification timelines despite the hospital’s awareness of the incident. MGH initiated victim notifications on June 26, 2016, mailing letters confirming attackers potentially accessed names, dates of birth, Social Security numbers, and—for some patients—dental appointment details, provider names, and medical record numbers. Patterson Dental’s compromised database served as the central repository for this information across multiple client practices.
The delayed disclosure timeline drew attention amid broader concerns about healthcare sector vulnerabilities highlighted by contemporaneous reports. While MGH and Patterson Dental didn’t specify technical details about the attack vector or containment measures, industry analysts noted rising threats to medical data, including Conficker worm variants targeting legacy hospital systems. The incident coincided with dark web marketplace listings purporting to sell hundreds of thousands of healthcare records, though no direct connection was established between those listings and the Patterson breach. A University of Pennsylvania-led study released weeks earlier had documented systemic security weaknesses in healthcare organizations, including workforce circumvention of protocols and outdated infrastructure. MGH’s confirmation emphasized the risks inherent in third-party vendor relationships while underscoring law enforcement’s role in controlling breach disclosure timelines during criminal investigations.