JDC Healthcare Management, which operates more than 70 dental clinics in Texas as Jefferson Dental & Orthodontics, has recently notified the Texas Attorney General about a malware incident that was detected in August 2021.
JDC said it identified a security breach on or around August 9, 2021, and steps were immediately taken to secure its systems. A third-party forensic firm was engaged to investigate the breach and determine the nature and scope of the security incident and whether patient data had been accessed or exfiltrated from its systems. The investigation confirmed on August 13, 2021, that the individuals behind the cyberattack had viewed or acquired documents from its systems that contained the sensitive data of Texas residents. JDC said that at the time of issuing notification letters, it had not found any evidence to indicate any data had been misused as a result of the security breach.
The exact nature of the installed malware was not publicly disclosed, but JDC said the malware provided unauthorized individuals with access to its network between July 21, 2021, and August 16, 2021. A review was conducted to determine the individuals affected and the types of information in the documents on the compromised parts of its systems. JDC said those documents contained names, dates of birth, Social Security numbers, driver’s license numbers, and financial, clinical, and health insurance information. JDC said it sent notifications to affected individuals in January 2022.
Texas has data breach notification laws that require the state Attorney General to be notified about any security incident that exposes the sensitive data of 250 or more Texas residents. The breach notification laws in the state were updated last year and from September 1, 2021, the Texas Attorney General has been required to publish breach notification letters on its website. The breach notice sent to the Texas Attorney General indicates the sensitive information of 1,026,820 Texas residents was potentially compromised as a result of the malware attack.
Dental clinic operators are classed as covered entities under the federal Health Insurance Portability and Accountability Act (HIPAA), which also has data breach reporting requirements. The Department of Health and Human Services must be notified about any breach of protected health information under HIPAA. The breach has yet to appear on the HHS’ Office for Civil Rights Breach Portal, so it is currently unclear if the breach was limited to Texas residents, or if other individuals have also been affected.