Buckle up, folks, because this week’s episode is a wild ride through the Cavity of Lies—where HIPAA violations, ransomware attacks, and outright absurdity collide. What happens when a dental group tries to sweep a massive breach under the rug (or, you know, hide servers in bathrooms)? Let’s just say it doesn’t end well. From a 3-year-long cover-up to servers stored in all the wrong places, we’ve got lies under oath, policies that might as well be urban legends, and enough bad decisions to make you cringe harder than hearing the dentist say “we need to talk about your flossing habits.”
In this episode:
Cavity of Lies: Westend Dental’s HIPAA Coverup – Ep 493
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
When you see a couple of numbers on the left side of the text below click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
Cavity of Lies: Westend Dental’s HIPAA Coverup
[03:29] We’ve talked about this before. We are sure that CEs and BAs have had data breaches and not reported them. Here is the proof for that statement. Someone got caught in the coverup of a ransomware attack. An Indiana dental practice agreed to pay the state $350,000 and go on an intense 7 year CAP.Dental Practice Pays State in Alleged Data Breach ‘Cover Up’
IN vs Westend Dental Complaint
IN vs Westend Dental Resolution
In Oct 2020, a ransomware attack encrypted the data on a server at one of the locations run by Westend Dental, a group of dental practices in Indiana. That location had at least 450 patients. But, it was also connected to all the other locations – they have 6. They have a screenshot of the ransomware note that was left by the attackers. That means we know that it was the MedusaLocker attackers. They did ZERO investigation so there is no way to know how they got in but we can assume phishing or more likely their unsecured RDP connection.
We all know what they should have done but they did NOTHING on that list. These folks set a new low bar for how little you can care about patient data protections.
They didn’t do an investigation at all. They never found out how they got in or what they did or how much they got access to – zero, zip nothing at all. They didn’t have a backup so they called one of the software vendors and managed to get a partial backup from them. They came back up with what they had and kept working. No other thought about it. Well, until…..
So how did they get busted?
[10:05]The IN OAG received a consumer complaint “stating that the consumer had contacted Arlington Westend Dental on multiple occasions to receive copies of their x-rays, but Arlington Westend Dental stated it no longer had the x-rays because someone “hacked” their systems.”
When OAG starts the investigation they send a request for information to the doctor the patient was seeing – not the ones in charge but another one that . The doctor clearly was not in on the cover up. Although they should have known a notification was required and maybe just couldn’t lie. The doctor replied in Feb 2022 stating in part:
“We use several online applications that run on our server and facilitate patient care in our clinic. Unfortunately that also exposes our systems to some element of [sic]. Despite taking several security measures, our Server was infected with malware on the night of October 20, 2020.”
So they call and say malware, what exactly are you referring to when you say malware? Finally by Oct 2022 the IN OAG gets a data breach notification about the 2020 event.
In their notification they claimed that less than 500 patients were involved and no patients were notified just the OAG. They claimed in their notice that the incident “was not a data breach but a loss of data”
Dr. Rana, was their lead executive for IT-related matters. He and his brother, Kunal Rana, have made false statements to the Office of the Indiana Attorney General (“OAG”) determined to cover it up. The OAG got an email from Rana Nov 2022 stating the following from them:
“This was not an intrusion, but an incident of data being lost when the on-site internal hard drive of the server got formatted by mistake. It is suspected the data was lost when we attempted to format a partition on the server hard drive that did not contain any database. The formatting process was not successful and the entire server hard drive data got lost in the incident. . . . The data server was not compromised by a ransomware attack and no ransom demands were received by the office. . . . This was not a ransomware attack. We did not receive any ransom demand after the data was corrupted.”
Again in April 2023, the same thing happened when they made more statements. “No system was compromised.” and “No patient had any data ‘compromised.’”
In Oct 2023, Kunal Rana testified under oath. Asked again was there an attack and he said no. Was there a ransom note on the server and he said no.
But this is where it gets even more insane. Once he said all of that, then, they said let’s play a little recording for you. OAG was able to get recordings of the customer service calls with the software vendor from Oct 2020. The calls included Dr. Rana, Kunal Rana, and Heather Cramer, an Administrator on the phone with the vendor.
In one call they have the vendor tell Kunal and Heather specifically what they found. The vendor said that a server was infected with a “crypto virus,” meaning the “database and a lot of the files on the system are not going to be accessible” because “they’re all encrypted with . . . a nefarious person’s virus”.
In another call they have the proverbial smoking gun though. The vendor rep on the phone
“told Kunal Rana it was their understanding that Westend Dental “probably had some kind of crypto or ransomware attack yesterday, is that correct?” In response to this statement, Kunal Rana stated: “Yeah so we came to the office yesterday morning and we couldn’t connect to the server and then when we got on the server we saw that all the files were encrypted. There was a message saying that we have to pay them to get the data back.”
We go completely off the rails with the next part:
When asked about these customer service calls, Kunal Rana testified that it was the regular practice of Westend Dental to lie to employees and vendors in order to escalate IT issues more quickly and scare employees about using their work computers for personal use.
When specifically asked if he was lying to the software vendor when he said, “All the files were encrypted. There was a message saying that we have to pay them to get the data back”, Kunal Rana responded, “I believe so.”
He must have caved after that though. In December of 2023 he gave them the photograph of the ransom note.
Finally, in Jan 2024 Dr Rana admitted they did have a ransomware attack. Over 3 years after the attack and over a year after the investigation started. WOW, just wow!
At that point the gloves came off and they were looking everywhere. On multiple occasions in their social media pages they found where the group had posted public replies about patient reviews that included PHI. Hello, dental world – you can not do that! They even included some of the posts in the legal documents. It is not pretty just how they did not even attempt to make nice. They put it all out there. Including details about the treatment and even dates of the visits! They even had pictures of patients including some of KIDS on their FB page without getting any approval from anyone. Pictures of patients in the chair getting treated!
When asked about HIPAA policies and procedures OAG learned that they were stored in hardcopy at one location. No implementation was apparent. No training for employees at all either. How do you skip that one!
[26:41] Suddenly, in Nov 2023 they started using “a third-party HIPAA compliance product that provides model policies, training (SIC), and a checklist for HIPAA compliance”. Other than signing up for that product they continue to “fail to comply with HIPAA”.They still didn’t even have an NPP on their website! They asked Dr Rana about that because you know they checked the box on the checklist that they did have an NPP on the website. Clearly, they even printed everything from the “third-party tool” and gave it to OAG. Finally, he admitted they had lied again. In fact, as of Dec 2024 it still wasn’t there!
Guess what they say about an SRA!:
Westend Dental has never performed a risk assessment that complies with HIPAA. Any “risk assessments” performed by Westend Dental have not accurately reflected the actual policies, practices, or systems of Westend Dental.
The list just keeps on going with shared passwords and no password policies at all.
- Use of free GMail accounts for business including sending PHI!
- Using shared email accounts on top of that.
- Login credentials in a Google spreadsheet. That means the Intruder gained access to the shared login credentials stored in plain text files, which gave the Intruder access to all Westend Dental systems.
- They also used the same username and password combination for each of their servers that contained PHI.
- They used only 1 username and password combination for its SQL database.
- They are sure that login credentials for the other systems that contained PHI were available on the compromised server.
- No BAA with the billing vendor – how did the vendor allow that?!
- Kunal Rana was not an employee either – no BAA with him.
- No updates to servers.
- No servers were stored behind closed doors, and certain servers were stored in common areas such as an employee break room and an employee bathroom
- No monitoring network traffic
- No logging or monitoring of access to the databases containing PHI and they have no idea if there were any logins or access that was suspect.
- They never tried to even figure it out and they really have no idea what the attacker really was able to do.
- They never even checked to see if the attacker was STILL in their systems after the attack – EVER.
- They had no backups to restore.
- NO notifications to anyone, not the patients, not the state, not HHS. No where at no time did they tell anyone the attack happened.
They have a huge list here and OAG made it clear how bad it was under HIPAA:
Each security failure identified in Paragraph 144 is a separate, continuing violation of the HIPAA Security Rule that began before the Data Breach.
That’s how they got to the $350K plus a very detailed corrective action plan that will last 7 years!
And there you have it: a tale of HIPAA missteps, digital disasters, and lies so elaborate they make reality TV look tame. This episode may leave you questioning not just your dentist’s integrity, but whether their servers are safe from… well, the toilet. Let this serve as a reminder to keep your data secure, your policies intact, and your excuses believable. Because honestly, if they’re hiding servers in bathrooms, what else might they be sweeping under the rug?
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
