Lying Through Their Teeth: Westend Dental Fined $350K for Ransomware Cover-Up

January 9, 2025 | Cybersecurity
By Ashwani Mishra, Editor-Technology, 63SATS

The U.S.-based Westend Dental LLC has been fined $350,000 for failing to report a ransomware attack and data breach in 2020, instead blaming the incident on an “accidentally formatted hard drive.”

The penalty, imposed after an extensive investigation by Indiana’s Office of Inspector General (OIG), underscores the critical need for transparency and robust cybersecurity measures in healthcare organizations.

The Incident

In October 2020, Westend Dental fell victim to the Medusa Locker ransomware group. Operating under a Ransomware-as-a-Service (RaaS) model, Medusa Locker employs double-extortion tactics, encrypting sensitive data while threatening to leak it unless a ransom is paid.

Instead of adhering to the Health Insurance Portability and Accountability Act (HIPAA) by notifying affected individuals and authorities within 60 days, Westend Dental delayed its data breach notification until October 2022—a full two years after the attack.

During this time, the company denied experiencing a data breach, attributing the data loss to a “formatted hard drive.” However, consumer complaints and testimony from a former employee eventually prompted a broader investigation that revealed the truth.

HIPAA Violations Uncovered

The Indiana OIG’s investigation unveiled extensive HIPAA violations:

Lack of Employee Training: No HIPAA training was conducted prior to November 2023.

Nonexistent Risk Analysis: Westend Dental never performed a HIPAA-compliant risk analysis.

Inadequate Password Policies: All servers containing sensitive patient information shared the same username and password.

Lack of Physical Safeguards: Servers were left in unsecured areas like break rooms and bathrooms.

Improper Data Management: Plain-text lists of usernames and passwords were stored on compromised servers.

Additionally, Westend Dental’s failure to conduct a forensic investigation meant the exact number of affected patients remains unknown. At the time of the breach, the practice served approximately 17,000 patients.

The Fallout

The investigation revealed that Westend Dental’s response to the ransomware attack was not only insufficient but deliberately deceptive.

Internal communications showed the company was aware of the ransomware demand and the potential exposure of protected health information (PHI). Despite this, Westend Dental denied the incident, claiming it involved fewer than 500 records and did not require HIPAA reporting.

The delayed breach notification and false statements to investigators culminated in the $350,000 fine and heightened scrutiny from both state and federal agencies.

The Broader Implications

This case highlights the dire consequences of neglecting cybersecurity and transparency in the healthcare sector. Critical infrastructure, including healthcare services, remains a prime target for ransomware attacks, given the sensitivity of the data and the high stakes involved.

Medusa Locker’s modus operandi often involves exploiting vulnerabilities in Remote Desktop Protocols (RDP) to gain access to networks. While it remains unclear how the group infiltrated Westend Dental’s systems, the company’s lack of monitoring software and weak password policies likely facilitated the attack.

For healthcare providers, the path forward is clear: invest in comprehensive cybersecurity frameworks, ensure compliance with HIPAA or regional regulations, and maintain transparency with patients and regulators. Anything less risks not only the integrity of sensitive data but also the trust and safety of the communities they serve.