Report on Patient Privacy 25, no. 1 (January, 2025)
Recent federal enforcement actions have brought home the lesson that there’s really no acceptable reason for denying a patient timely access to medical records. Last year, for example, the HHS Office for Civil Rights (OCR) fined a Maryland dentist $70,000; she contended the patient wanted the records to fraudulently file for reimbursement of her family’s treatment.[1]
A new case involving an Indiana dental practice provides another unacceptable response—and one that ultimately snowballed into a $350,000 state settlement likely to presage future enforcement action by OCR: We were “hacked.”
Problem was—well, there allegedly were many—parent firm Westend Dental never reported the hack or breach as required to Indiana or OCR. Indeed, it only came to light after Indiana Attorney General (AG) Todd Rokita’s office “received a consumer complaint stating that the consumer had contacted Arlington Westend Dental on multiple occasions to receive copies of their x-rays, but Arlington Westend Dental stated it no longer had the x-rays because someone ‘hacked’ their systems.”
It's not clear when the consumer complained, but a dentist in the practice responded to Indiana’s queries in February 2022, as detailed in a proposed settlement signed on Dec. 19 by Rokita’s office and Deept Rana, identified as Westend’s clinical director. The state had not issued nor commented on Rokita’s complaint nor his office’s proposed settlement with Westend as of RPP’s deadline. RPP obtained the documents through a court database.
Neither Rana nor his attorney, Brian Jones, responded to RPP’s requests for comment.
The settlement involving Westend, which has six locations, also underscores that states can, and do, enforce HIPAA, a right AGs were given in the 2009 HITECH Act. Moreover, it shows that Indiana remains a leader in such actions.
The final HIPAA enforcement action OCR announced in 2024 was an August settlement with Puerto Rican clearinghouse Inmediata that a year earlier entered an agreement with nearly three dozen AGs over the same breach that figures into OCR’s $250,000 deal.[2] Rokita’s office led the case, which RPP will detail in an upcoming issue.
Practice’s Notification Denied Breach
Rokita’s complaint against Westend Dental runs 40 pages; the proposed settlement—which still must be approved by a judge—is 31. Rokita’s office alleged a litany of HIPAA violations and of two state laws that also govern information: the Indiana Disclosure of Security Breach Act and Indiana Deceptive Consumer Sales Act. As is customary in a settlement, Westend did not admit to wrongdoing.
The complaint notes that the AG’s office “gave notice” to OCR of the state’s action against Westend Dental, which appears to have operated in a virtual HIPAA-free zone for years, based on information from Rokita.
As described earlier, the case began with a patient’s complaint about not being able to receive dental records. But the state’s investigation was anything but straightforward, as information about the events trickled out over two years.
Westend officials repeatedly denied they were the victims of ransomware that occurred “on or around October 20, 2020,” and at various turns blamed a “loss of data” during a failed reformatting attempt. That’s how the state said the incident was described when Westend belatedly submitted its required breach notification form to the AG in October 2022. Westend also stated that fewer than 500 individuals had been affected.
Calls to Vendor Showed Attack
However, the AG uncovered customer service calls between a software firm and Westend officials that demonstrated the vendor told the dental practice that a server had a “crypto virus” and could not be accessed.
During one call, a dental official also reported finding a ransom note, but when questioned under oath by the AG’s office in October 2023, the individual said he had lied, and that it was “the regular practice of Westend Dental to lie to employees and vendors in order to escalate [information technology] issues more quickly and scare employees about using their work computers for personal use.”
Subsequently, Westend produced a screenshot of the ransom note, and the official admitted in a sworn statement in January 2024 that there had been an attack. The note did not list a ransom amount, and it does not appear that Westend paid the hackers.
In addition to failing to provide breach notification required under state law and HIPAA, the complaint and settlement state that Westend never completed its own investigation and that the true number of affected patients is unknown.
According to the documents RPP reviewed, the state believed that an “Intruder gained access to Westend Dental’s shared login credentials stored in plain text files, which gave the Intruder access to all Westend Dental systems and the PHI [protected health information] of all Westend Dental patients. At the time of the Data Breach, Westend Dental served at least 17,000 patients at all locations.”
AG: No HIPAA Policies Implemented
In addition to allegations of lying, concealment and breach notification failures related to the attack, the Indiana AG accused Westend Dental of violating the Privacy Rule by posting PHI online in response to “multiple” patient reviews. The complaint also includes photos of minor patients (with their faces covered) that Westend shared on Facebook without authorization, according to the AG.
Since the time the Privacy and Security rules were issued, compliance officials—both private and governmental—have warned that policies and procedures shouldn’t stay in a binder on a shelf. But that’s exactly what the Indiana AG alleged was the case with Westend Dental.
“Prior to November 2023, Westend Dental’s HIPAA policies were stored in hardcopy at one location” and “were never given to and were not readily available to any Westend Dental employees.”
Moreover, “prior to November 2023, Westend Dental had not actually implemented any HIPAA policies” nor had “HIPAA training for employees,” the state alleged.
In November 2023, Westend began using a “third-party compliance product,” but as of the date of the state’s complaint, it had remained in violation of various HIPAA requirements. For example, it had not provided patients with its notice of privacy practices nor posted this online as required, the state said.
For various other periods of time, Indiana officials also accused Westend of using unsecured email, sharing passwords and logins, lacking a business associate agreement with its billing vendor and failing to secure its physical servers, among other issues.
Settlement Includes Many Tasks
Although the state and the practice settled for $350,000, Indiana’s complaint sought a much higher amount. The state asked for $300,000 for violations of Indiana’s breach notification requirement, $25,000 per year for HIPAA violations and $5,000 for each violation of other state laws. Moreover, the AG requested Westend Dental “pay all costs and fees for the investigation and prosecution of this action.”
If approved by a judge as written, the settlement gives Westend two years to pay the $350,000, with the first payment of $100,000 due within 30 days of the effective date of the agreement. Six equal payments of $41,666.67 are due every six months, beginning April 30 and ending Oct. 15, 2027.
But as with most settlements, the fine will be dwarfed by the cost of the compliance requirements to which Westend agreed. Westend Dental broadly agreed to comply with the two state laws and with HIPAA Privacy, Security and Breach Notification rules, with dates established for many of them. Within the first 30 days, it agreed to hire a third-party assessor to review its compliance with the Privacy and Security rules. It also was given 30 days to scrub its social media of any unauthorized PHI.
Within 90 days of the effective date, it must implement and comply with a comprehensive “information security program.” Specific tasks include conducting a risk analysis and risk management plan, naming privacy and security officers and signing business associate agreements. Westend is required to implement network segmentation, engage in penetration testing and adopt multifactor authentication and encryption.
Separately, Westend Dental also pledged to take a number of steps related to the 2020 breach. Within 30 days of the effective date, it must notify the media and post a breach notification message on its website; within 60 days, it is to notify individual patients.
1 Nina Youngstrom, “OCR Sees ‘Willful Neglect’ in Refusal to Give Records; Dentist Decries ‘Miscarriage of Justice,’” Report on Patient Privacy 24, no. 12 (December 2024), https://bit.ly/3Pl5nJk.
2 U.S. Department of Health and Human Services, “Office for Civil Rights Settles with Health Care Clearinghouse, Inmediata Health Group, Over HIPAA Impermissible Disclosure,” news release, December 10, 2024, https://bit.ly/3BTbUYC.
[View source.]
