Legislation & Litigation
,
Standards, Regulations & Compliance
2023 Cybersecurity Breach Impacted 1.9 Million Patients and Employees
In a significant data breach, Great Expressions Dental Centers, a Michigan-based dental organization operating 250 offices across nine states, has reached a preliminary settlement to pay $2.7 million due to a hacking incident that compromised the personal information of over 1.9 million patients and employees. The breach, which the organization reported to the U.S. Department of Health and Human Services on May 12, 2023, has raised serious concerns about data security in the healthcare sector.
The proposed settlement, awaiting final approval in a Michigan federal court on December 12, categorizes affected individuals into two subclasses based on whether their Social Security numbers were compromised. Those whose sensitive information was accessed can claim up to $500 in out-of-pocket expenses and $40 for time spent addressing the breach, along with the possibility of recovering extraordinary losses up to $5,000. For those not directly affected, claims can be made for two hours of their time at a rate of $20 per hour.
To enhance data protection, Great Expressions has committed to key improvements in its cybersecurity protocols, including the implementation of multifactor authentication and an overhaul of its centralized information security measures. The organization will also adopt a vulnerability management tool and ensure that all workstations are encrypted, addressing the weaknesses that allowed for this significant breach.
Allegations stemming from the incident describe the exposure of both patient and employee information that was maintained within an unencrypted network, suggesting an inadequate level of data protection that could have been exploited through initial access and persistence tactics identified in the MITRE ATT&CK framework. Specifically, techniques such as credential harvesting and exploitation of public-facing applications may have played a role in facilitating unauthorized access.
The impacted workforce and patients had various personal details compromised, including Social Security numbers, addresses, financial data, and sensitive medical histories. Such a wide scope of data at risk underscores the critical need for organizations to adopt robust data security measures.
While Great Expressions denies any wrongdoing in connection with this case, the broader implications reflect systemic vulnerabilities within organizations tasked with safeguarding sensitive information. The breach not only threatens individual privacy but also raises questions about the healthcare sector’s resilience against increasingly sophisticated cyber threats.
This incident is not an isolated occurrence; it follows a regulatory scrutiny of Great Expressions’ practices, as they previously faced penalties related to patient access rights in 2022. Recent actions by the U.S. Department of Health and Human Services also highlight ongoing challenges with compliance and security in similar healthcare environments.
As cyber threats continue to evolve, business owners must remain vigilant, adopting comprehensive cybersecurity frameworks to protect against potential breaches. Failure to do so could lead to severe financial repercussions, both from settlements and potential lawsuits, emphasizing the importance of prioritizing data security within their organizations.
