Skip to main content
Toggle Menu of ADA WebSites
ADA Websites
Partnerships and Commissions
Toggle Search Area
Toggle Menu
e-mail Print Share

Colorado ransomware attack leaves 100 dental practices without access to patient data

Dentists can take cybersecurity steps to protect practices

December 17, 2019

By Mary Beth Versaci

A Nov. 25 ransomware attack against a Colorado information technology company impacted about 100 dental practices, leaving them without access to their patient records, schedules and more.

The attack comes a few months after a similar incident in August targeted PerCSoft Consulting, a technology provider in the dental industry, affecting hundreds of dental practices.

Colorado Cyber Attack Salman
Mr. Salman
"The fingerprints are very similar –– hit the IT vendor, then the attackers sprayed from there; they hit their clients' computers," said Gary Salman, CEO of Black Talon Security in Katonah, New York, which has helped restore some of the practices affected by the November ransomware attack.

Other attacks in recent months targeted Southeastern Minnesota Oral & Maxillofacial Surgery Associates, the city of Pensacola, Florida, and nursing homes.

Ransomware is a type of malware that denies access to a computer system or data until a ransom is paid. The type used against Englewood, Colorado-based Complete Technology Solutions in November is known as "Sodinokibi." It prevented dentists from accessing patient records, schedules, radiographs and accounts receivable and posting payments.

"It was a very sophisticated attack, one of the most advanced forms of ransomware that is in existence," Mr. Salman said.

The impact

One of the affected practices was Pediatric Dental Specialists of Greater Nebraska, co-owned by Dr. Jessica Meeske, vice chair of the ADA Council on Advocacy for Access and Prevention. 

"You are absolutely paralyzed in the same way as if you lost your location physically," Dr. Meeske said.

Jessica Meeske
Dr. Meeske
After the attack, she called her cybersecurity insurer, and a team of experts came in to decrypt her computers and restore her data. As of Dec. 16, two of her four locations were up and running, but the experts were still working to recover patient charts at the other two.

Dr. Meeske is concerned about a potential Health Insurance Portability and Accountability Act breach, but the experts who worked on her restoration said it appeared the attackers encrypted the data but did not access it.

By default, a ransomware attack is considered a HIPAA breach, according to the U.S. Department of Health and Human Services, unless the business associate or covered entity can demonstrate there was a low probability the protected health information was compromised, Mr. Salman said.

While the cause of the attack will not be known until a forensics investigation is completed, these attacks typically occur by targeting an IT company and using its connections to its customers' work stations and servers to insert the ransomware and encrypt files, he said.

The attack affected dentists in several states, including Colorado, Kansas, Louisiana, Nebraska and Nevada. 

What was unusual about the incident was that the attackers used a unique encryption for each infected device, meaning dentists often needed to obtain multiple decryption codes from the attackers to gain access to all their data, making the recovery efforts "very difficult," Mr. Salman said.

"They basically come back with a price tag and say you have to pay us this amount of money if you want your data back," he said. 

Law enforcement does not recommend paying a ransom, but it ultimately is up to businesses to decide if the risks and costs of paying are worth the possibility of getting their files back, according to the Federal Trade Commission.

However, sometimes the victims have no choice, said Mr. Salman, whose cybersecurity company primarily serves dentists.

According to an email sent to its customers, Complete Technology Solutions did not pay the ransom.

"We have communicated with the ransomware attackers and determined that decryption keys may be available for your systems; however, based on our available resources, we are unable to procure the keys at this time," company President Herb Miner said in the email. "Again, we remain available to support your team to the best of our ability in support of any restoration efforts you may deem appropriate."

What to do

Mr. Salman, whose father is a recently retired oral surgeon, lectures on cybersecurity to dentists across the country and says there are several steps dentists can take to help protect their practices.

Dentists need to ask specific questions of the IT companies they hire, including whether the company has a third-party cybersecurity company evaluate the security of its infrastructure so that its data breach does not become the dentists' data breach, he said.

Just having a firewall or anti-virus software does not cut it in the modern age, so dentists also should consider hiring a cybersecurity company to analyze the security of their own network, Mr. Salman said. 

Cybersecurity companies can perform vulnerability scans and penetration testing to expose "unlocked doors and windows" on their network that could allow cybercriminals to access their patient data, he said. 

"Unfortunately, in this day and age, it's not if you’ll have a cyber breach with data, it's when, unless you make sure your office has the most up-to-date security measures in place," said Molly Pereira, associate executive director of operations and communications for the Colorado Dental Association. "It truly can happen to anyone."

Dentists and their staffs should undergo cybersecurity training on a regular basis as part of HIPAA compliance and have multiple data backups, including an external hard drive they keep disconnected from the rest of the network, Mr. Salman said.

The ADA Center for Professional Success also advises that dentists train staff on basic data security, back up data regularly and keep a copy off-site, be wary of attachments and web links included with suspicious emails, and maintain cyber defenses such as anti-virus and anti-malware software. To learn more, visit Success.ADA.org

The ADA offers a continuing education course related to ransomware as well at ebusiness.ADA.org.

The Colorado Dental Association also plans to launch a full educational campaign around cybersecurity in 2020.

"We need to do more to make dentists aware of the problem," Dr. Meeske said.