Dental Group Penalized $350,000 for Misleading Public About Ransomware Attack and Data Breach

• A U.S.-based dental healthcare group agreed to a $350,000 penalty to resolve a heap of HIPAA violations.
• Westend Dental Group was found guilty of multiple alleged violations of federal and state laws related to an unreported ransomware attack and data breach.
• The investigation revealed that the company compromised patients' protected health information. 

Westend Dental LLC, a U.S.-based chain of dental offices, has agreed to pay a $350,000 fine to settle multiple violations of the Health Insurance Portability and Accountability Act (HIPAA) after misleading patients about a data breach resulting from a 2020 ransomware attack. 

The company initially claimed that patient data had been lost due to an “accidentally formatted hard drive,” a statement later proven false during a state investigation. The incident originated in October 2020, when the MedusaLocker ransomware group targeted Westend Dental. 

Despite the severity of the breach, Westend Dental chose not to notify affected patients or authorities as required by HIPAA regulations. The company delayed submission of a mandatory data breach notification form to the State of Indiana until October 28, 2022—two years after the ransomware attack.

The Indiana Office of Inspector General (OIG) launched an investigation following a consumer complaint from a Westend Dental patient regarding an unfulfilled request for dental records.

The investigation confirmed a ransomware attack on or around October 20, 2020, compromising state residents' protected health information (PHI) and extensive violations of HIPAA requirements, including lack of HIPAA training, no HIPAA policies, noncompliant risk analysis, weak password policies, and servers stored in unsecured locations.  

Court documents further detailed that Westend Dental failed to conduct a forensic investigation following the ransomware attack, leaving the true scope of the incident, including how many individuals were affected, unknown. 

Compounding the issue, backups created by a third-party vendor were found to be incomplete, preventing Westend Dental from fully recovering data or notifying patients whose PHI may have been compromised. 

Moreover, monitoring software was also absent, making it impossible to determine how deeply the attackers infiltrated the organization's systems.

MedusaLocker operates as a Ransomware-as-a-Service (RaaS) that targets healthcare and education and employs double extortion tactics, encrypting victims’ data while simultaneously threatening to leak sensitive information unless a ransom is paid.