Indiana Dental Practice pays a $350,000 fine over ransomware attacks and HIPAA violations

Westend Dental, a prominent Indianapolis-based dental practice, has agreed to a $350,000 settlement with the Indiana Attorney General’s Office (OAG) to address allegations of federal and state law violations. The case stems from a ransomware attack that occurred in October 2020. The attack exposed patients’ protected health information (PHI) and revealed significant shortcomings in cybersecurity and compliance with the Health Insurance Portability and Accountability Act (HIPAA).

The investigation began after a patient reported being unable to obtain their dental records. Evidence indicated that Westend Dental experienced a ransomware attack by the Medusa Locker group on or around October 20, 2020. Despite the breach, the practice delayed reporting the incident for over two years. When it eventually filed a data breach notification in October 2022, Westend Dental claimed that the data loss resulted from the accidental formatting of a hard drive and denied any ransomware involvement. However, sworn testimony in January 2023 contradicted this assertion, revealing that the breach had occurred, prompting the OAG to expand its investigation.

The ransomware attack compromised the PHI of at least 450 patients from Arlington Westend Dental. The number of affected individuals remains unknown, as no forensic investigation was conducted. The compromised data included usernames and passwords stored in plain text, with identical credentials used across multiple servers containing sensitive patient information. Investigators noted that the servers were inadequately secured, with some located in unprotected areas such as break rooms and bathrooms.

Westend Dental was found to have violated several provisions of HIPAA and state laws. Employees had not received proper HIPAA training until November 2023, and critical policies and procedures were either undocumented or unavailable to staff. There was no evidence of a HIPAA-compliant risk analysis or adequate password management. Moreover, the practice failed to notify affected patients, post-breach notifications on its website, or inform the Department of Health and Human Services (HHS) Office for Civil Rights (OCR).

Leadership failures contributed significantly to the compliance lapses. Dr. Pooja Mandalia, the practice’s owner, and her husband, Dr. Deept Rana, who served informally as the HIPAA Privacy and Security Officer, bore responsibility for overseeing these issues. Dr. Rana admitted to having no monitoring systems in place during the breach. His brother, Kunal Rana, who managed properties and operations for the practice without formal agreements or qualifications, further complicated the situation by having access to systems containing sensitive information.

The Medusa Locker ransomware group likely gained access through vulnerabilities in Remote Desktop Protocol (RDP), although no efforts were made to confirm this or prevent future intrusions. Patient data backup was incomplete, and there were no measures to trace access to PHI. The lack of accountability and mismanagement intensified the impact of the breach.

The Indiana OAG filed a complaint citing multiple violations, including breaches of HIPAA rules, the Indiana Disclosure of Security Breach Act, and the Indiana Deceptive Consumer Sales Act. To resolve these issues, Westend Dental entered a consent order requiring it to pay a financial penalty, implement comprehensive compliance measures, and notify all patients about the breach as of November 2023.