Dental Practice Settles with State Over Alleged Data Breach “Cover-Up”

In a significant development concerning cybersecurity breach management, Westend Dental, a dental practice operating across six locations in Indiana, has consented to pay $350,000 to the state. This fine comes in the wake of allegations surrounding an attempted cover-up of a ransomware attack that transpired in October 2020. The investigation into the incident began when a patient lodged a complaint regarding unaddressed requests for dental X-rays.

According to a federal lawsuit filed by Indiana Attorney General Todd Rokita on December 23, 2024, Westend Dental allegedly failed to notify affected individuals or conduct an adequate forensic investigation following the ransomware attack. The lawsuit specifies that when a patient sought copies of their X-rays, they were informed that the practice could not provide them due to a hacking incident.

The lawsuit further claims that Westend Dental’s actions potentially infringed upon HIPAA regulations and various state data protection laws. Rokita asserts that instead of openly addressing the breach, Westend tried to obscure the severity of the situation.

It is particularly troubling that the Office of the Attorney General learned about the breach solely through a consumer complaint rather than direct communication from Westend Dental, as required under the law. The dental practice only reported the incident in October 2022, claiming it impacted fewer than 500 individuals, but misleadingly asserted that there was no external intruder involved.

In reality, Westend incorrectly attributed data loss to a formatting error with a server hard drive when, in fact, they were aware that their files had been encrypted by ransomware deployed by the MedusaLocker group, which demanded a ransom for the decryption keys.

As part of a proposed consent order, Westend Dental will remediate this situation by paying the agreed settlement amount, enhancing their data security protocols, and achieving full compliance with HIPAA regulations, while notifying all potentially affected patients as of November 2023. The lack of a forensic investigation obfuscates a clear understanding of how many individuals were genuinely at risk.

The lawsuit does not stop at addressing the ransomware incident; it also raises concerns about Westend Dental’s management of patient information on social media. Allegations suggest that the practice posted protected health information in response to online reviews, including sensitive data of minors, without appropriate consents—violating established privacy norms under HIPAA.

This case aligns with a growing trend where federal regulators have initiated enforcement actions against healthcare providers for mishandling patient information, particularly on social media platforms. Such actions signal a clear expectation for maintaining strict privacy standards, and the penalties imposed on Westend Dental highlight the critical importance of proactive cybersecurity measures and compliance.

Neither the Indiana Attorney General’s office nor Westend Dental has issued a comment at this time regarding the ongoing legal matters.