2023 Cybersecurity Breach Impacts 1.9 Million Individuals at Great Expressions Dental Centers
In a significant cybersecurity incident, Great Expressions Dental Centers, a Michigan-based dental organization operating 250 locations across nine states, has reached a preliminary settlement of $2.7 million over a hacking event that compromised the personal data of more than 1.9 million patients and employees. This breach, reported on May 12, 2023, involved unauthorized access to sensitive information, raising concerns about data security practices in the healthcare sector.
The incident targeted both current and former patients as well as employees, resulting in the exposure of critical personal information, including names, Social Security numbers, financial account details, and medical histories. The lawsuit, now under preliminary settlement discussions, outlines allegations of negligence against Great Expressions for failing to adequately protect this sensitive data, which was allegedly stored in an unencrypted, internet-accessible environment.
According to the proposed settlement, which awaits a final fairness hearing scheduled for December 12 in a federal court in Michigan, affected individuals will be compensated based on the nature of their information compromised. Those whose Social Security numbers were accessed can claim up to $500 for ordinary losses, with potential further reimbursement for extraordinary losses not covered by existing insurance, capped at $5,000. Affected individuals whose data remained secure will be entitled to compensation for up to two hours of response time at $20 per hour.
The hacking could involve various MITRE ATT&CK tactics, such as Initial Access where threat actors gain entry to the network, possibly through phishing or exploiting software vulnerabilities. Persistence techniques may have been used to maintain access to the compromised systems, while later phases could have included privilege escalation to access sensitive data.
In response to the breach, Great Expressions has committed to enhancing its cybersecurity measures, which is a necessary step for any organization facing similar threats. This includes implementing multifactor authentication, revising information security protocols, and employing modern security measures such as endpoint detection and vulnerability management tools. It is crucial for organizations to elevate their security practices, particularly in the healthcare industry, where patient information is a high-value target for cybercriminals.
Furthermore, the complaints lodged against the organization extend beyond negligence, highlighting a pattern of inadequate data protection efforts. Great Expressions has denied all allegations of wrongdoing as part of the settlement terms, leaving the broader implications of this incident—regarding both public trust and regulatory scrutiny—still under consideration.
Great Expressions has faced challenges previously; its Georgia practice was involved in a HIPAA-related “patient right of access” settlement in 2022, addressing similar concerns about access to medical records. The continuation of such breaches not only leads to financial settlements but may also invoke stronger regulatory actions, as seen recently with other dental practices fined for failing to provide timely access to records.
As the frequency and impact of data breaches continue to rise, organizations must remain vigilant in their cybersecurity efforts. The Great Expressions case serves as a reminder of the importance of robust data security frameworks to safeguard sensitive information against emerging cyber threats.
