jamesteohart - stock.adobe.com

Dental Care Alliance Reaches $3M Proposed Settlement Over Healthcare Cyberattack

Dental Care Alliance (DCA) suffered a month-long healthcare cyberattack in December 2020 that impacted 1 million patients.

Dental Care Alliance (DCA) reached a $3 million proposed settlement over a December 2020 healthcare cyberattack that lasted for one month and impacted 1 million patients and employees. DCA is a practice support vendor for more than 380 allied practices across 21 states.

The settlement money will be distributed to claimants who suffered out-of-pocket costs and lost time as a result of the incident. DCA also agreed to implement additional security enhancements in 2022.

The DCA breach was one of the largest healthcare data breaches of 2020. DCA detected anomalous activity within its environment on October 11 and later determined that hackers had maintained access to its network from September 18 to October 13.

The information that was potentially accessed included names, treatment information, dental diagnoses, addresses, patient account numbers, employee names, employee identification numbers billing information, dentists’ names, health insurance information, Social Security numbers, and bank account numbers.

About 225,000 individuals were notified that their Social Security numbers, driver’s license numbers, or financial account information was impacted.

Filed in January 2021, the lawsuit against DCA alleged that the breach was a “direct result” of DCA’s failure to implement reasonable cybersecurity measures to safeguard consumer information. The lawsuit also alleged that if DCA had properly monitored its property, it could have found the intrusion sooner.

“Defendant maintained the Private Information in a reckless manner. In particular, the Private Information was maintained on Defendant’s computer network in a condition vulnerable to cyberattacks,” the filing stated.

“Upon information and belief, the mechanism of the cyberattack and potential for improper disclosure of Plaintiff’s and Class Members’ Private Information was a known risk to Defendant and thus Defendant was on notice that failing to take steps necessary to secure the Private Information from those risks left that property in a dangerous condition.”

The lawsuit claimed that DCA violated HIPAA by failing to implement adequate administrative safeguards.

DCA denied all wrongdoing but agreed to the $3 million settlement outside of court. Class members are eligible to receive up to $2,000 for their losses, while subclass members (those who had their financial information breached) are eligible for up to $5,000.

Next Steps

Dig Deeper on Cybersecurity strategies