Orthodontic practice management software provider OrthoMinds, based in Alpharetta, Georgia, recently reported a security incident that occurred in November 2024, allowing unauthorized access to patients’ protected health information (PHI). According to forensic investigation, parts of its system were exposed to unauthorized third parties from November 17, 2024, to November 27, 2024.
The file analysis affirmed the potential compromise of data such as names, birth dates, medical data, medical insurance details, Social Security numbers, and payment card details. What isn’t clear at this time is how many people were impacted, as the file analysis is still in progress. In compliance with the HIPAA Breach Notification Law, OrthoMinds submitted the breach report to the HHS’ Office for Civil Rights, indicating that at least 501 individuals’ data were affected. The final number is expected to be considerably higher.
OrthoMinds is sending breach notification letters to victims on behalf of its impacted clients. It is providing free credit monitoring services to those whose Social Security numbers or payment card details were exposed. OrthoMinds has additionally examined its guidelines and procedures and is adding more technical safety measures to avoid the same incidents down the road. Although data was compromised, OrthoMinds did not mention reports of any data misuse or theft.
It would seem that the security incident was a result of incorrectly protected databases. Information was freely accessible online without an access control setup. Therefore, any person who discovered the databases could view and download the information.
Security researcher JayeTee found the database and remarked that at least 200,000 patients’ data was included. He mentioned that although the database could be accessed in November, it is likely that data was exposed for a longer period. The researcher stated he tracks compromised information, and the database was initially recognized in his records on October 23, 2024. However, he waited until November to inspect more. JayeTee stated he discovered over 300 database copies between November 2020 and the middle of October 2024, each of which included the information of several patients of dental clinics that utilize the practice management software program. The database copies comprised over 1,873 gigabytes of data. What is unknown is if someone besides the security researcher discovered the compromised database before it was made secure.
Image credit: Sujinun, AdobeStock
