In 2017, a dental practice in Tennessee discovered ransomware on an office computer. This malicious software blocked access to the health and financial information of almost 3,000 patients, and the dentist was unable to determine whether that patient information had been shared outside of the clinic.
The consequences to the practice were costly. The managing dentist had to designate a new privacy and security officer, change IT vendors, and create a new Health Insurance Portability and Accountability Act (HIPAA) training program.
Pat Little, DDS, president and founder of Dental Risk Concepts.Incidents similar to this one are happening to dental and medical offices all over the U.S. In fact, on February 4, the U.S. government reported it was investigating a breach that could affect 10,000 patients at a Texas dental clinic.
But this doesn't have to be your practice's story. Dr. Pat Little, DDS, spoke about how dentists can protect themselves and their patients from medical identity theft at the Chicago Dental Society Midwinter Meeting on February 21.
"Dental and medical identity theft is the fastest-growing and most lucrative form of identity theft," Dr. Little, president and founder of Dental Risk Concepts, told DrBicuspid.com. "Any breach that affects our patients' private data can result in devastating legal and financial consequences."
The value of a dental record
Medical identity theft is the fastest-growing form of identity theft simply because it is so lucrative, Dr. Little explained. To hackers, a dental chart is more valuable than a Social Security number because it often contains far more information.
"With a Social Security number, they can do damage typically with one person's account," Dr. Little said. "But if they can steal dental records, they have a medical record not only for that patient but also for all the other family members, which would include Social Security numbers, birth dates, everything they would need to open up multiple accounts in multiple locations."
Hackers and identity thieves use three main methods to get access to protected patient information:
- Dumpster diving: Identity thieves will literally dig through garbage and recycling bins, looking for information that hasn't been properly shredded and disposed of.
- Physical theft: Thieves will break into dental practices and cars to steal laptops, phones, computers, servers, and other devices that may contain unsecured patient information.
- Phishing scams: Hackers will send an email with a hyperlink that someone in the practice clicks and opens. This link then infects the computer with malware, which can harvest patient information and/or lock the computer and demand a ransom to reopen it.
Phishing scams are the most common of the three methods, and they're not always obvious. The best hackers can make emails and hyperlinks look legitimate, like they are coming from a patient, good friend, dental supplier, or credit card company.
Once hackers and thieves have patient information, they can monetize that data in a number of ways, including selling dental records on the black market, opening credit cards and bank accounts in your patients' names, or even going to the dentist masquerading as one of your patients.
In addition, the financial consequences of a breach can be catastrophic for dentists and dental practices. Dentists may face fines of hundreds of thousands of dollars, and they'll likely lose patient confidence and experience turnover.
"The HIPAA fines for a breach can be staggering," Dr. Little noted. "The maximum fine is $1.5 million. I've never seen a dentist have to pay that much money, but [the fines] can easily go into six figures if the government decides the dentist acted with reckless disregard."
How to protect yourself
Private practices are small businesses that often don't have the IT resources of larger businesses, a weakness that thieves and hackers are all too happy to exploit. However, dentists can take certain steps to protect themselves and their patients' information.
First, dentists can and should partner with an IT company that is knowledgeable about HIPAA compliance and security. Dr. Little recommends asking companies whether they represent other dentists and how familiar they are with HIPAA security and the dental profession.
It's also important for dentists to educate themselves and their staff about HIPAA security. One of the most dangerous things dentists can do is think that a breach can't happen to them because they're careful or have antivirus software.
"Watch the mentality that this can't happen to me," Dr. Little cautioned. "It's happening with alarming frequency now. Make sure you protect yourself with a good IT partnership."
