Nearly 400K dental patients affected in Alabama ransom attack

In July, staff at Sarrell Dental, with 15 locations across Alabama, discovered malicious software on the organization's network servers.

The ransomware was accompanied with a message demanding payment in return for the key to decrypt impacted files. Sarrell Dental did not pay the ransom—it deactivated the network and engaged help from ID Experts to investigate the attack. But the damage was done, and eventually the chain determined that information of 391,472 individuals was affected.

Sarrell Dental-CROP.png

The dental practices closed for two weeks to rebuild business systems. “To protect health information in the future, we rebuilt our business systems with updated security and virus protection for the entire Sarrell network before reopening our practices,” the organization told patients in a breach notification letter. Now, the network and systems are monitored with upgraded capabilties to ensure data remains secure, and the investigation has not found evidence of files being copied, downloaded or removed from the network.

“However, because we cannot rule out the possibility that sensitive information was obtained from the network, we are providing information about resources to assist those potentially impacted to protect their information,” patients were told.

Compromised data included patient names, addresses, dates of birth, Social Security numbers, insurance and treatment information, dates of service, procedure and diagnosis codes and the names of the treating dentist.

The notification letter stressed that Sarrell Dental cannot be certain whether or how much of its information was exposed, but noted that no evidence suggests affected data has been misused.

“Receiving a letter does not mean that you are a victim of identity theft,” patients were told. “At this time, there is no evidence that your data is at risk as a result of this incidence; however, Sarrell Dental has notified you of this incident as a precaution.”

The organization urged affected individuals to enroll and receive the free credit monitoring and identity theft protection available and also take advantage of free fraud alert services offered by the credit bureaus.

Additional information on the incident was not available.

For reprint and licensing requests for this article, click here.