Can your orthodontic practice survive a data breach incident?

Mark Pribish offers facts and best practices on how to mitigate a cyberattack

According to a June 2022 Aite-Novarica consumer report titled ”US Identity Theft: Adapting and Evolving,” identity theft has become so prevalent that it affected one-in-four U.S. consumers in 2021 along with virtually every type of financial product and commercial platform including dental and orthodontics practices.¹

Aite-Novarica Group is an advisory firm providing critical insights on technology, regulations, markets, and operations to hundreds of banks, insurers, payment providers, and investment firms — as well as the technology and service providers that support them. Aite-Novarica Group also released a July 2022 report titled Consumer Scams: Rising in Velocity and Sophistication that reported 34% of U.S. Consumers were Targeted by scams in 2021.²

According to the report, scams have become a regular part of our daily, digital lives with scammers using phishing (fraudulent emails), vishing (fraudulent phone calls and voice mail messages), smishing (fraudulent text messages), and social media to commit their scam tactics to fool victims and commit fraud.

As an orthodontic practice, you should be concerned about identity theft and consumer scam trends for both your practice and your customers. Why? Because of three major data breach incidents affecting the dental and orthodontics business sectors in the first half of 2022.

The first major data breach incident occurred in March. An article announced: “Data breach compromises over 1 million dental and orthodontic patients at a large Texas dental and orthodontics practice, including the sensitive information on over 1 million patients.” Jefferson Dental and Orthodontics (JDC) with 72 offices in Texas reported that hackers had copied documents stored on its servers in the summer of 2021. During this time, JDC discovered malware on its computers, which prompted the company to contract a third-party cybersecurity firm to work on the issue.³

The firm discovered the extent of the breach, which could affect just over 1 million patients, including clinical information, Social Security numbers, driver’s license numbers, dates of birth, health insurance information, and financial information.

If this could happen to JDC, this can happen to any dental and orthodontics practice in the United States. Your practice needs to be prepared (for a data breach incident) or be prepared to lose (regarding fines, penalties, and lawsuits).

The second major data breach incident was in April when the American Dental Association (ADA) confirmed a cyberattack after a ransomware group claimed credit.⁴ Security researchers who have reviewed the leaked data say that it contains a variety of sensitive information, including W2 and other tax forms, financial spreadsheets, and information about private practices.

While the attack on the ADA itself is a major concern — this may just be the start of something more concerning — with follow-up attacks aimed directly at ADA member practices happening in future months.

The last data breach incident I will reference was reported in July in an article titled “Vendors Ransomware Attack Hits Over 600 Healthcare Clients”: “A ranmsomware attack on an accounts receivables management firm affects more than 650 covered entity clients, including dental practices, physician groups, and hospitals, resulting in one of the largest health data breaches involving a vendor so far this year.”⁵

Professional Finance Company (PFC), based in Greeley, Colorado, said in a statement “that on Feb. 26, it ‘detected and stopped a sophisticated ransomware attack’ involving an unauthorized third party accessing and disabling some of the firm’s computer systems.”

While PFC says the incident only affected data on the company’s systems, the vendor released a list of about 660 healthcare entity clients that were affected. Those entities were notified by PFC about the incident on May 5, the company’s statement says.

PFC reported that its investigation “found that files containing individuals’ personal information were accessed in the ransomware incident, including names, addresses, accounts receivable balance, and information regarding payments made to accounts. In some cases, affected information also includes date of birth, Social Security number, and health insurance and medical treatment information.”

According to the U.S. Department of Health and Human Services (HHS), medical identity theft is among the fastest-growing forms of identity theft in the United States.⁶

So, let’s turn back to identity theft when the 2022 Javelin Strategy Annual Identity Fraud Study found that identity theft and fraud losses totaled $52 billion and affected 42 million U.S. adults in 2021.⁷ The Javelin study also reported the following:

• 1 in 20 Americans were victims of fraud in 2021.
• The average per victim loss from traditional identity theft and fraud rose to $1,551.
• The average per victim loss from identity fraud scams was $1,029.
• The 2021 statistics show individuals and businesses are unprepared for the tactics criminals are deploying in our modern, digital-first world.

Since identity theft and fraud is constantly evolving, how does the 2022 Javelin Study reflecting 2021 statistics compare to the last two Javelin Studies in 2020 and 2019?

• In 2020, identity theft and fraud losses totaled $56 billion and affected 49 million U.S. adults.
• In 2019, identity theft and fraud losses totaled $16 billion and affected 14.4 million U.S. adults.

Javelin defines identity fraud as “the unauthorized use of another person’s personal information to achieve illicit financial gain. Identity fraud can range from simply using a stolen payment card account, to making a fraudulent purchase, to taking control of existing accounts or opening new accounts.”

In addition, Javelin defines identity fraud scams as “relatively easy to orchestrate and present an opportunity for criminals to bypass the fraud detection barriers maintained by financial services providers because they directly target the consumer.”

One of the reasons hackers and identity theft criminals are shifting their attention to smaller targets is that small businesses tend to lack information security and governance best practices compared to larger businesses.

However, it’s not just about individuals and your orthodontic practice customers and employees — it’s also about your small to medium-size business (SMB). Most dental and orthodontic practices fall into the SMB category, and most SMBs are the new targets for hackers and the insider threat.

According to Chubb, one of the leading property and casualty insurance companies in the world, “the reputational costs of cyberattacks can ruin small and medium firms” in a report titled “Cyber Attack Inevitability: The Threat Small and Midsize Businesses Cannot Ignore.”⁸

Unfortunately, most small businesses, including orthodontic practices, continue to believe they are not targets for cyber and identity theft criminals based on their size and/or small databases of personally identifiable information (PII).

However, the reality of identity theft and data breach makes the threat landscape for small businesses a high-risk target for both cyber and identity theft criminals, along with the insider threat such as current and former employees, contractors, vendors, social engineering, and phishing.

The Chubb report stated that “the average price tag for a business to recover after a cyberattack is $400,000, which can be fatal for small and medium-size enterprises (SMEs).”

One of the reasons hackers and identity theft criminals are shifting their attention to smaller targets is that small businesses tend to lack information security and governance best practices compared to larger businesses.

When small- to medium-size businesses struggle to identify a data breach event and then struggle even more to report and respond to a breach, the total cost of the breach increases because of direct costs, indirect costs, and lost opportunity costs.

So, how can small businesses protect their organization?

The Chubb report concluded that “the majority of cyber incidents are preventable, as they mostly stem from human error or a simple lack of proper training [and Chubb] recommended [small businesses] take the following preventative measures:

1. Create a cyberattack response plan, and invest in the resources to ensure the plan can be executed.
2. Use a secure password manager to make it easier for employees to manage their credentials in a secure
3. Educate employees about the risks of cybercrime and deploy software that can reduce social-engineering attacks such as phishing.
4. Install good antivirus software, and ensure it is always up-to-date.
5. Update operating systems and applications regularly to ensure they are supported by the manufacturer.
6. Protect networking activity with a secure router on your internal network and a virtual private network (VPN)
7. Purchase a comprehensive cyber insurance policy.

In addition to the built-in loss mitigation services to reduce the risk of being targeted in the first place, a cyber insurance policy will likely include incident response services if an attack succeeds.

Small businesses need to recognize that hackers, identity theft criminals, and the insider threat are current and future risks.

Small businesses also need to accept responsibility in protecting their customer and employee information by increasing employee education, investing in new technology, and creating a formal data breach response and recovery plan.

Specific to your orthodontic practice, the FBI reported on an alarming rise in the cost of cyberattacks in its 2022 FBI Internet Crimes Report — and estimated losses to businesses to fraudulent activity at $6.9 billion led by phishing and business email compromises.⁹

Key points of the report included the following:

• Business email compromise complaints to the FBI in 2021 accounted for more than a third of all reported cyber losses.
• Virtual meeting platforms represent a growing risk with access gained through BEC, spoofing, and deep fakes.
• Healthcare, financial services, and IT topped the list of business sectors hit by ransomware attacks.

According to the FBI’s Internet Crime Report for 2021, losses from cyberattacks spiked 64% to $6.9 billion, the biggest increase since 2018.

Consistent with the trends identified in the FBI’s report on 2020 complaint levels, phishing and variants such as smishing and vishing were the leading threat vectors in 2021, rising 34% annually to nearly 324,000 incidents and racking up losses of $44.2 million.

Business email compromise and email account compromise complaints were smaller in aggregate number than phishing but larger in impact. Nearly 20,000 BEC/EAC complaints accounted for $2.4 billion in losses, slightly more than a third of the total losses tallied by the FBI across the full range of cyberattacks. (Note that the FBI includes some defrauded individuals’ transactions, known as EAC, in the predominantly business targeted BEC statistics.)

Overall, the FBI strongly encourages a heightened attention (and awareness) among businesses and consumers to an “urgent need” for cyber incident reporting to federal authorities. In addition to phishing and BEC, the threats tracked by the FBI include ransomware, tech support fraud, and identity theft — all of which grew in number.

To conclude, 43% of all cyberattacks target small business.  Every small business, including dental and orthodontic practices, should implement information security and governance best practices.

The following four best practices will help your small business mitigate its exposure to data breach and identity theft events: 

Best Practice No. 1 — Every dental office needs to understand how and where their technologies and systems comingle with the cybersecurity threat landscape. However, staying on top of all the security news and knowing the latest security trends is a time-consuming and challenging task. I recommend regularly reading Brian Krebs, who is the author of a daily blog covering cybersecurity, data breach, and cybercrime trends.¹⁰

Best Practice No. 2 — Have a written information security and governance policy, and update this policy each year. Once complete, have every employee — even if your dental office has two to five employees — sign this information security policy document acknowledging that he/she has read, understands, and agrees to said policy. The National Institute of Standards and Technology has created a template document titled Small Business Information Security Fundamentals, which can help your dental practice create such a policy.¹¹ 

Best Practice No. 3 — Have a data breach risk management plan in place. The lack of cybersecurity preparedness, data breach planning, and employee privacy training have made dental offices a target for cybercriminals. The Federal Communication Commission (FCC) created a “Small Biz Cyber Planner” (https://www.fcc.gov/cyberplanner)¹² to help small businesses create customized cybersecurity plans. Your dental practice can use this tool to create and save a custom cyber security plan.

Best Practice No. 4 — Every dental office should consider having a cyber liability insurance policy, which can help protect your business from cybercrime and a data breach incident. The CEOs and CIOs of Equifax and Target were not fired because they were hacked or breached; they were fired for their failed management response to their breach events. Cyber insurance can help your dental office be resilient and compromise ready. Talk to your insurance agent or broker about cyber insurance.