A cyber-attack on the vendor of a network of dental practices may have exposed the data of tens of thousands of patients.
A cyber-criminal used a phishing attack to gain access to the computer systems of North American Dental Management between March 31 and April 1, 2021. Pittsburgh-based North American Dental Management provides administrative and technical support services for Professional Dental Alliance (PDA) offices.
PDA notified patients that an unauthorized individual may have accessed some of their protected health information (PHI) after the security breach.
The information that may have been exposed was stored in email accounts that the attacker could breach.
"Professional Dental Alliance (‘PDA’) was recently notified that a few email accounts of its vendor, North American Dental Management, containing some limited patient information were accessed by an unauthorized person between March 31 and April 1, 2021, as the result of an email phishing incident," stated PDA affiliate Grove Dental Associates in a data breach notice published on its website.
"At this time, the identity of some individuals is known, but the vendor’s investigation is ongoing."
After discovering the breach, North American Dental Management took steps to secure the compromised email accounts and launched an investigation.
PDA said that it had not found any evidence of any actual misuse of personal information and that its investigation of the matter indicates that the attack was limited to email credential harvesting.
The threat actor did not access PDA’s patient electronic dental record or dental images; however, the Alliance found that some sensitive personal information may have been present in the compromised email accounts.
Grove Dental Associates said: "The full extent of the potentially affected personal information is not yet known and will vary between persons, but it may include the following: name, address, email address, phone number, dental information, insurance information, Social Security Number, and/or financial account numbers."
The breach was reported to the DHS’s Office for Civil Rights, impacting 125,760 patients in Connecticut, Florida, Georgia, Illinois, Indiana, Massachusetts, Michigan, New York, Texas and Tennessee.
PDA is offering complimentary credit monitoring and identity theft services for two years for potentially affected patients.