DSO Dental Care Alliance would pay $3M in proposed settlement

2020 03 04 22 13 2425 Gavel Money 400

A judge in Georgia signed off on a proposed agreement that calls for dental service organization (DSO) Dental Care Alliance (DCA) to pay $3 million to settle a lawsuit stemming from a 2020 cyberattack that affected about 1 million patients and employees.

On September 1, a state judge in Georgia is scheduled to vote on the proposed settlement agreement, which calls for DCA to pay individuals who submit valid reimbursement claims for losses associated with the data breach. If the agreement is approved, the DSO also will enhance its data security.

In October 2020, DCA learned of a cyberattack on its network. A third-party forensic audit revealed that unauthorized activity went on for nearly a month and that confidential files related to at least 1 million people had been accessed. From October 2020 to April 2021, the DSO notified potential victims, according to the order.

Sensitive patient data were likely compromised in the data breach, according to court filings in the State Court of Fulton County in Georgia. Patient names, bank account numbers, billing information, dental diagnoses, and treatment plans may have been affected. Additionally, hackers may have gained access to employee names, Social Security numbers, and financial information.

In 2021, several patients and employees filed a class action suit against DCA, which has more than 360 affiliated practices in 21 states, making it one of the largest DSOs. In the suit, patients and employees made several claims, including that the DSO was negligent in how it maintained its private data.

Not the first to fall prey to hackers

DCA is certainly not the first dental organization to fall victim to a cyberattack. Cyberattackers have been targeting healthcare and dental organizations and related businesses for years.

In April, a ransomware attack paralyzed the ADA's operations for several weeks by crippling its communications systems and more. Several state associations in Florida, New York, and Virginia were also affected. Ransomware gang Black Basta took responsibility for the attack, alleging they had stolen 2.8GB of stolen data, including W-2 forms, nondisclosure agreements, and personal information about ADA members.

In another attack against a DSO, in February 2020, Texas-based Jefferson Dental Care Healthcare Management was struck with a phishing attack that reportedly affected the personal health data of more than 45,000 patients.

Not even one year prior, in August 2019, a ransomware attack left about 400 dental practices in the U.S. without access to important electronic files. The attack targeted DDS Safe, medical records software Digital Dental Record, and IT partner PerCSoft. A virus was deployed on the software used by the companies to back up patient data, including payments and x-rays.