Dental service organization (DSO) Great Expressions Dental Centers was hit by a cybersecurity incident that disrupted some of its information technology (IT) operations and breached some sensitive personal data, including patients' medical and dental histories and Social Security numbers.
An investigation revealed that an unauthorized party accessed Great Expressions’ systems during a six-day period in February 2023. After investigators concluded an initial analysis, the DSO, which has more than 300 affiliated practices in the U.S., began notifying patients on May 12 of the data breach, according to a notice posted on May 17 on Great Expressions' website.
“We take this incident very seriously and sincerely regret any concern this may cause,” the notice states.
Great Expressions sought the assistance of a third-party forensic investigator and law enforcement after it identified unusual activity on its systems. It revealed that an unapproved party accessed or removed some files between February 17-22.
The ongoing analysis of the files potentially involved in the incident revealed that they contained personally identifiable information belonging to some Great Expressions patients. The information varied per patient but could have included one or more of the following:
- Patient names
- Dates of birth
- Contact information
- Mailing addresses
- Social Security numbers
- Driver’s license numbers
- Financial account information
- Credit or debit card numbers
- Diagnosis and treatment information
- Medical and dental history
- Dental examination information
- Charting information and treatment plans
- X-ray images
- Billing records and costs of services
- Prescription and/or health insurance information
Though the above information may have been compromised, Great Expressions’ electronic medical records system was not involved in the incident, according to the notice. Great Expressions said that it has implemented additional safeguards and technical security measures to further protect and monitor its systems against future cybersecurity incidents.
The incident comes just weeks after TAG - The Aspen Group, the parent company of DSO Aspen Dental, was hit with a cybersecurity attack. In April, the company reported that the attack temporarily impacted its ability to access the scheduling, phone, and other business applications at Aspen Dental, according to an Aspen Dental press release dated April 27. Aspen stated that although their offices are open and patients are being treated, it cannot provide a specific timetable as to when everything will be completely back to normal.
The event at Aspen was discovered early by its IT team, but the investigation is ongoing. As of the April 27 press release, Aspen said it was unsure whether patients' personal data was compromised. If it is determined that sensitive information was involved, “we will notify those individuals in accordance with applicable law and as quickly as possible,” Aspen stated in the release. Currently, Aspen, which is one of the largest DSOs in the U.S., has about 1,100 affiliated practices in 45 states.
These two incidents haven’t been the only ones that have affected dentistry. In April 2022, the ADA was hit with a cyberattack that shuttered its operations for nearly three weeks. The ADA informed its membership that the attack led to technical difficulties, forcing it to take its phone, email, membership, and online chat systems offline.
At the time, the ransomware gang Black Basta claimed responsibility for the attack on the ADA, which has about 162,000 members. Black Basta claimed on a data leak page that it had taken 2.8GB of stolen data, including nondisclosure agreements, W-2 forms, and accounting sheets.