Advantage Dental has notified more than 151,000 patients that the dental service company suffered a data breach, resulting in the theft of personal patient health information, company officials stated Monday.
Oregon-based Advantage Dental confirmed that a cybercriminal gained illegal access to the company’s internal systems, stealing the information of patients. Information stolen in the Advantage Dental breach includes Social Security numbers, birthdates, phone numbers and home addresses, the company does not believe any financial information was stolen.
Though no patients affected in the breach have reported any misuse of their information thus far, Advantage Dental is offering two free years of identity theft monitoring services that affected customers have access too, as comes common in data breaches these days. The company also noted they are working with federal law enforcement to determine the scope of the breach.
Advantage Dental’s compliance manager, Jeff Dover, said hackers got off with patient information when an Advantage employee’s computer was infected with malware, allowing the criminals to steal username and password information to gain access to the membership database. The breached database did not contain financial records or patient treatment information.
“Unfortunately this happened,” Dover said speaking on the Advantage Dental breach. “What you can do is be as transparent as you can, take responsibility for it, learn from it and then move on.”
Hackers accessed the information between February 23-26, shortly after an Advantage internal IT worker identified the breach within the network. Dover said Advantage Dental’s robust, in-house security team allowed them to quickly identify the breach.
“In other situations, hackers are running around in these databases for months on end,” Dover said.
Advantage is current working to notify affected patients, according to their website, Advantage serves some 250,000 patients every year, but Dover said the database that hackers breached contains over 1.5 million records in total. The company also reported the incident to the Oregon Attorney General’s office, the Oregon State Police and has notified the U.S. Secret Service.
Advantage took proper steps to assess the breach, even going as far as to contact the FBI and notify the public, a tactic U.S. president Obama has long urged for, even proposing a new piece of legislation that would require breached companies to notify the public within 30 days of the company’s knowledge.
Advantage Dental has noted they have made a number of security changes to prevent further breaches, no longer allowing access to the internal patient database from computers that are not stationed within Advantage clinics or at the company headquarters. On top of that, Advantage IT workers require staff to change their passwords regularly and heavily monitor network traffic for suspicious activity.
As Advantage IT administrators control the network, Dover said there was no indication that the employee whose computer was infected with malware that led to the breach was “surfing nefarious websites.”
Another health center, Mosaic Medial, located in Central Oregon also reported a security breach last Thursday, stating that personal information of more than 2,200 patients was stole during an overnight attack. If the attacks are connected remains unknown.
Advantage Dental said the company is currently working with federal officials to investigate the matter.