The settlement comes after a data breach impacting millions.
The Breach
In 2023, Great Expressions Dental Centers suffered a data breach estimated to impact 1.92 million individuals.
Great Expressions, a Michigan-based practice, currently operates 246 dental practices in nine states. They are considered one of the largest dental support organizations in the United States.
On May 12th, 2023, Great Expressions reported a data breach to the U.S. Department of Health and Human Services (HHS). After an investigation, it was determined that the breach was the result of hacking. The investigation found that an unauthorized party had accessed and removed some files between February 17th and 22nd of 2023.
According to a notice filed with the Attorney General of Massachusetts, both patients and employees were impacted. Employee data may have included names, Social Security numbers, driver’s license numbers, and/or bank account and routing numbers.
Patient data may have included names, dates of birth, contact information, mailing addresses, Social Security numbers, driver’s license numbers, financial account information, credit or debit card numbers, diagnosis and treatment information, medical and dental history, dental examination information, charting information, treatment plans, x-ray images, dates of service, and more.
At the time, Great Expressions that they had “no indication that any of [the] information was misused.”
Great Expressions clarified that their electronic medical records system was not accessed during the breach.
The organization said they “regret any inconvenience caused by this incident. To help prevent a similar occurrence in the future, we are implementing additional safeguards and technical security measures.”
Great Expressions also offered free identity monitoring in response.
The Lawsuit
Following the breach, Great Expressions ultimately faced a class action lawsuit alleging that the incident could have been prevented. Class action members claimed Great Expressions was negligent and breached the implied contract to keep data secure for both patients and employees.
The class action members agreed to a settlement under the premise that while the suit had merit, the litigation process could be lengthy, costly, and uncertain.
Under the settlement agreement, Great Expressions maintained all denial of wrongdoing and that other, unrelated factors caused any harm suffered by the plaintiffs.
Five plaintiffs will receive $2,500 as a service award. Representative attorneys are expected to be paid $900,000 plus expenses up to $25,000.
Individuals whose Social Security numbers were compromised may receive up to $500 for out-of-pocket expenses and $40 for time lost. Class members may also receive up to $5,000 per individual for unreimbursed costs, losses, or expenses that can be traced to the incident.
For individuals whose Social Security number was not affected, Great Expressions agreed to pay for up to two hours of time spent responding to the breach at a rate of $20 per hour.
The settlement also required Great Expressions to improve its data security practices. As a result, Great Expressions will begin implementing multi-factor authentication, updating its security protocols (including policies for the retention and destruction of patient information), implementing a vulnerability management tool for patching, implementing endpoint detection response protection, and keeping workstations encrypted.
Other incidents
For Great Expressions, this isn’t the first time a practice under the name has gotten in trouble for data-related practices.
The company’s practice in Georgia faced another settlement in 2022 regarding “patient right of access.” The case arose from a 2020 complaint, when a former patient said the practice refused to provide her medical records after she declined to pay a $170 “copying” fee.
The plaintiff took the case to court and a federal investigation determined that the copying fee was not reasonable. The case was ultimately settled and the practice agreed to pay $80,000 and implement a corrective action plan. Great Expressions in Georgia is not the only practice to come under fire for not providing proper access to medical records; other organizations have also faced penalties.
Major takeaways
When healthcare organizations face a data breach, it can disrupt their operating procedures, be costly, and harm the institution’s reputation. Payouts in cases like these can be massive, especially for attorneys. With so much money in the industry, it’s easy to understand why class action lawsuits are soaring.
While some breaches can be linked to harmful actors, many breaches, like in this case, go unclaimed. This can make it difficult to determine which organization was responsible and how future breaches could be prevented. Nevertheless, it’s common for the data to make it to the dark web, where it may be sold to criminals hoping to engage in fraudulent activity.
Many hackers target organizations solely based on opportunity, making it all the more important for healthcare companies to vigilantly protect their cybersecurity and stay on top of the evolving threat landscape.
For Great Expressions, the breach will likely result in a renewed focus on cybersecurity. Although the terms of the settlement allowed Great Expressions to deny any wrongdoing, it’s possible that improved security measures could prevent a future breach.
How Cloudticity Can Help
Data breaches are becoming the norm, impacting millions and resulting in massive lawsuits. But that doesn’t need to be the case. Healthcare organizations need a new strategy to protect themselves.
Despite the looming threat, a shortage of cybersecurity experts means many organizations are ill-prepared for an attack, using old software or procedures unfit for today’s challenges.
As a HITRUST-certified organization with over 10 years as a leader in managed security for healthcare, we’ve never suffered a data breach. Despite an ever-evolving threat landscape with sophisticated and persistent actors, we’ve kept every single organization we work with secure.
Using a proven security tech stack with the best experts, we keep data safe and address any sudden vulnerabilities before threat actors can take advantage of them.
Attacks and their associated costs are rising from legal fees, system upgrade costs, and penalties. Cloudticity helps organizations focus their resources on serving patients instead of security concerns.
If you want to learn more about how we can help protect your organization from network attacks, reach out for a free consultation today.