Pennsylvania dental patients’ stolen social security numbers posted online

Join Our Mailing List 

EDR Data breach in Williamsport, Pennsylvania

By D. Kellus Pruitt DDS

1-darrellpruittOver the last 7 years, I have absorbed a surprising amount of criticism for warning my community that electronic dental records continue to grow both more expensive and more dangerous than paper dental records. That chunk of bad news which not one dental leader is ready to acknowledge is becoming increasingly difficult for even the most popular practice management consultants and other 3rd parties to hide. Unresponsiveness from those who profit from EDR sales is unethical and has already harmed dental patients.

Vulnerability Notes

In the Vulnerability Notes that have been issued by the US Department of Homeland Security to dental software giant Dentrix in the last year, security expert Justin Shafer was thanked in both for alerting authorities to Dentrix’s weaknesses.

Though evasive EDR stakeholders were able to fend off transparency far too long, it is fast becoming obvious to the world that their free ride with no accountability has always been destined to end ugly, and greed is to blame. Unforgiving media coverage of the nation’s loss of confidence in EDRs just might start in day or so in the parking lot of dentist’s office near Williamsport, Pennsylvania. Take cover, Dentrix

Eyeing Dentrix 

In the last two years, Justin Shafer’s uninvited watchful eye over Dentrix’s vulnerabilities may have already helped protect millions of dental patients from identity theft. Nevertheless, Dentrix’s security problems which company officials apparently hide, continue to endanger the welfare of uninformed Americans. I have learned that Shafer doesn’t give up easily. He’s in HIT for the long haul.

Yesterday morning, he posted a heads-up on the City of Williamsport’s Facebook, as well four other local Facebooks, warning of the results of a dental office data breach of Dentrix software: Dental patients’ social security numbers have become available on a zip file from Piratebay.

Shafer: “I am willing to bet there are a lot of your citizens SSN’s in this database. Look at rsc_dat.dat and patient.dat… Seems a dental database ended up on piratebay. You may already know.. you may not.”

He explained it to me this way: “the practice info is in rsc_dat.dat, patient info is in pat_dat.dat. It’s a nightmare, and I told dentrix and the doctor a full year ago.”

Insightful or clueless dentist?

Assessment 

Did your opinion of censorship in dental care recently undergo change?

Conclusion

Your thoughts and comments on this ME-P are appreciated. Feel free to review our top-left column, and top-right sidebar materials, links, URLs and related websites, too. Then, subscribe to the ME-P. It is fast, free and secure.

Link: http://feeds.feedburner.com/HealthcareFinancialsthePostForcxos

Speaker: If you need a moderator or speaker for an upcoming event, Dr. David E. Marcinko; MBA – Publisher-in-Chief of the Medical Executive-Post – is available for seminar or speaking engagements. Contact: MarcinkoAdvisors@msn.com

OUR OTHER PRINT BOOKS AND RELATED INFORMATION SOURCES:

DICTIONARIES: http://www.springerpub.com/Search/marcinko
PHYSICIANS: www.MedicalBusinessAdvisors.com
PRACTICES: www.BusinessofMedicalPractice.com
HOSPITALS: http://www.crcpress.com/product/isbn/9781466558731
CLINICS: http://www.crcpress.com/product/isbn/9781439879900
BLOG: www.MedicalExecutivePost.com
FINANCE: Financial Planning for Physicians and Advisors
INSURANCE: Risk Management and Insurance Strategies for Physicians and Advisors

Product DetailsProduct Details

Product Details

14 Responses

  1. 1/3 of Williamsport
    [follow-up]

    One-third of Williamsport citizens are in danger of data breach, yet unaccountable dental-care stakeholders hide the important information from dentists and patients.

    As it turns out, the Williamsport data breach is ten times worse than I thought, above, when I attempted to submit a warning about Dentrix’s vulnerability to Dental Management and Office Managers Linkedin group yesterday. This morning, I learned that up to 11,000 dental patients’ social security numbers and other personal information are still available online due to an unreported data breach of a Dentrix system.

    That’s 1/3 of Williamsport’s population.

    Instead of offering transparency to dental professionals whose patients may one day hold them accountable for identity theft, the moderator of Dental Management and Office Managers Linkedin group chose to hide the news from readers – including those who might be victims.

    On the other hand, the moderator cannot be held accountable for empowering harm through censorship… That is, if one does not count this message from me to her and others.

    Darrell Pruitt DDS

    Like

  2. Something Gave

    A reporter named Dave Bohman from WNEP out of Scranton, Pa., has taken interest in the Williamsport data breach and is interviewing Justin Shafer tomorrow morning ….

    Did I mention that 11,000, or 1/3 of Williamsport’s citizens’ identities have been available on the internet for 3 years?

    Darrell Pruitt DDS

    Like

  3. Williamsport data breach update

    Following an unreported data breach from a dental office over 3 years ago, up to 11,000 Williamsport, Pennsylvania patients’ protected Health Information (PHI), including the social security numbers, have been made available by Piratebay “seeders” under the title, “Dentrix XI Dental Practice Management Software.”

    http://thepiratebay.sx/torrent/5374693/

    Here is a short list of seeders’ computers which are currently sharing the identities of Williamsport residents with anyone interested:

    70.112.83.223 AustinTX
    222-adsl.ntc.net.np Nepal
    117.197.136.142 India
    217.21.147.176 Albania
    117.197.136.142 IP University of Pittsburgh, PA

    Frightening.

    D. Kellus Pruitt DDS

    Like

  4. Williamsport data breach
    [Failure of leadership in the dental profession?]

    Today, Piratebay reports that there are 14 “seeders” and 1 “leecher” who are showing interest in the “Dentrix XI Dental Practice Management Software” file – the Piratebay “torrent” containing Protected Health Information (PHI) of 11,000 Williamsport, Pennsylvania dental patients.

    http://thepiratebay.sx/torrent/5374693/

    “Seeders” – like the IP addresses I shared from Austin, Nepal, India and Albania – have downloaded the complete file, and in turn, join other seeders in helping to speed the distribution of personal information. The more seeders a torrent attracts, the faster Albanians and others can download dental patients’ social security numbers, birthdates, medical information and other private items.

    “Leechers” are those who share what they have, while downloading what others have to offer.

    To appreciate the vast, lasting harm that resulted from only one unreported Pennsylvania data breach, the number of seeders and leechers changes daily. This means that after three years, owners of hundreds, if not thousands of computers in some of the seediest parts of the world may already know more about Williamsport residents better than their own neighbors.

    What dentists need is leadership.

    D. Kellus Pruitt DDS

    Like

  5. Shafer’s post on Williamsport’s FB page seems to have disappeared. Interesting.

    Dissent Doe

    Like

  6. Your may already be known worldwide

    “Over 5,000 dental patients’ data shared on torrent site,” by Nicole Freeman was posted Friday on HealthIT Security.

    http://healthitsecurity.com/2013/12/13/over-5000-dental-patients%E2%80%99-data-shared-on-torrent-site/

    Freeman writes: “It seems that there are more questions than answers regarding the incident. While the office notified 5,000 patients, the SSNs for nearly 9,000 are available online. Was the office unaware of the actual number of affected patients, or did they choose to only notify 5,000?”

    She adds: “Since [the torrent’s] first internet appearance, it can now be found on 18 sites, and the files have been downloaded more than 9,000 times from a single site alone.”

    Thousands of Williamsport citizens’ PHI have been online for 4 years, yet the breach has still not appeared on the HHS Wall of Shame. My sincere question is, does anyone (other than perhaps our geopolitical adversaries) have even a clue of the real number of data breaches that have occurred from healthcare organizations?

    How about some transparency, HHS? It was one of Obama’s promises.

    D. Kellus Pruitt DDS

    Like

  7. HHS

    I spoke to HHS last week to inquire why the breach report wasn’t up on their site. They (finally) added it two days ago.

    Of course, it doesn’t appear accurate at all, but hey, at least it’s up there, right?

    Dissent Doe

    Like

  8. On Better PWs

    Darrell – The conventional wisdom about how to build strong passwords can be counter productive.

    http://www.propublica.org/article/privacy-tools-how-to-build-better-passwords?utm_source=et&utm_medium=email&utm_campaign=dailynewsletter

    So, here are some better ways to build passwords that are hard to crack.

    Mena

    Like

  9. Thanks Mena,

    The “44 bits of entropy” included in your easily remembered example “correct horse battery staple” sounds good compared to 28 for “Tr0ub4dore &3.”

    But, I have to wonder if it is accurate to count 4 dictionary words as 11 bits each. You might want to throw in a capital leTter, puncTuation & a number 0r 2 in my opinion.

    Darrell

    Like

  10. One way or another, I win

    Yesterday’s news of a data breach from local dental office creates not unexpected business opportunities for paper-based dentists.

    “Break-in at Arlington Dentist’s Office Puts Hundreds at Risk for Identity Theft – An Arlington dentist says the personal information of more than 500 patients could be at risk following a break-in at her office. Arlington police said some time between the night of August 23 and the morning of August 25, someone pried open the door to Dr. Vonica Chau’s practice off of Matlock Road and stole a computer. In a statement, Chau’s attorneys revealed that computer contains the names, addresses, phone numbers and social security numbers of her patients.” By Tim Ciesco, Channel 5, NBCDFW.com.

    http://www.nbcdfw.com/news/local/Break-in-at-Arlington-Dentists-Office-Puts-Hundreds-at-Risk-for-Identity-Theft-274547971.html?_osource=SocialFlowTwt_DFWBrand

    Dr. MK Raja, a professor at UT-Arlington’s College of Business tells Channel 5 News that protecting oneself from identity theft following notification of a data breach creates “a lot of leg work for consumers.” Raja suggests that If you think your personal information has been compromised, you should immediately contact all three credit bureaus (Experian, Equifax and TransUnion) and put either an alert or freeze on your credit. I don’t know how tolerant you are, but that would piss me off.

    Since the bankruptcy-level liability of reporting stolen computers has failed to improve security, maybe direct competition for a growing number of breach-wary patients is the natural, marketplace solution… Anyone looking for a dentist who doesn’t put patients identities on office computers, my phone number is (817) 451-2323 and I am located in Fort Worth.

    Think it is still too early to consider de-identification of dental records? Take your time.

    D. Kellus Pruitt DDS

    Like

  11. Dentrix gets fined by the FTC for lying

    Remember a couple of years ago when Justin Shafer exposed Dentrix’s lie about encryption? Dentrix gets fined for lying to dentists.

    “Dental Practice Software Provider Settles FTC Charges It Misled Customers About Encryption of Patient Data” – the Federal Trade Commission January 5, 2016.

    https://www.ftc.gov/news-events/press-releases/2016/01/dental-practice-software-provider-settles-ftc-charges-it-misled

    “Henry Schein Practice Solutions, Inc. (“Schein”), the provider of leading office management software for dental practices, will pay $250,000 to settle Federal Trade Commission charges it falsely advertised the level of encryption it provided to protect patient data.”

    As anyone can see, lies are common in the electronic dental record industry. It’s how HIT stakeholders roll.

    D. Kellus Pruitt DDS

    Like

  12. Justin Shafer as a national hero

    Years ago, I recognized Justin Shafer as a national hero. Today, Zack Whittaker, Security Editor for ZDNet, posted an article for Zero Day which supports my opinion. It’s about time Justin got some recognition for the millions of potential identity thefts he thwarted – even at the risk of personal harm.

    “Stop calling everything a ‘hack’ – Nevada state government’s website was leaking thousands of social security numbers, and highly sensitive personal data. They said it was a hack. Spoiler alert: It wasn’t.”

    http://www.zdnet.com/article/stop-saying-things-were-hacked-when-they-werent/

    Whittaker continues:

    There’s something that’s been bugging me all day.

    On Wednesday, security researcher Justin Shafer reached out to a handful of security reporters after he found that Nevada state government’s website was leaking thousands of applications from its medical marijuana dispensary program.

    Shafer found the leaky web portal by using Google to search government websites for words like “social security,” which anyone can do with relative ease. He invariably found one listed web address, ending in a number, which pointed to a PDF file purporting to be an medical marijuana dispensary application. Altering the number in the web address let anyone to view different applications.

    ———-

    Whittaker describes how later – even after the leak had been confirmed by multiple news sources – Nevada chose to call the leak a hack. The difference between a hack and a leak is whom to blame – a hacker or a careless government employee.

    Whittaker:

    Shafer, and others who have brought matters of insecurity to their owner’s eyes, often face backlash or legal threats from the very people they’re trying to help.

    Incidentally, Shafer had been accused of “hacking” before, simply for informing a company, Eaglesoft, a provider of dental practice management software, that it was leaking confidential patient data by storing it in an unsecured FTP folder, available for anyone with an internet connection to see. His house was raided by the FBI as a result. But, unsurprisingly, no charges have been over the matter.

    ———-

    Nevertheless, Shafer’s computers which were confiscated in the raid have yet to be returned. Shafer fears that his family photos have been lost.

    Think about it. Justin stands accused of exceeding authorized viewing of publicly-available information. That is not a hack. Nevada and the rest of the nation must learn that if identities are stored on the curb, a thief is more likely to use them rather than to report the breach.

    D. Kellus Pruitt DDS

    Like

  13. In Justin Shafer’s defense

    Here is the comment I posted in Justin Shafer’s defense following today’s Dallas News article, “Is this computer geek a hacker who harassed an FBI agent, or a hero trying to secure the internet?” By Kevin Krause, Federal Courts Reporter.

    https://www.dallasnews.com/news/crime/2017/06/02/computer-geek-hacker-harassed-fbi-agent-hero-trying-secure-internet

    —————–

    I have heard estimates that Justin Shafer’s efforts have thus far protected half a million patients’ identities. Here are three of his victories:

    Vulnerability Note VU#948155

    Henry Schein Dentrix G5 uses hard-coded database credentials shared across multiple installations

    http://www.kb.cert.org/vuls/id/948155

    “Thanks to Justin Shafer for reporting this vulnerability.” – Homeland Security, April 26, 2013.

    “Vulnerability Note VU#900031

    Faircom c-treeACE database weak obfuscation algorithm vulnerability”

    http://www.kb.cert.org/vuls/id/900031

    “Thanks to Justin Shafer for reporting this vulnerability.” – Homeland Security, June 10, 2013.

    (Dentrix earned this particularly shameful notice because they advertised to dentists that the software is encrypted, and that if a computer gets stolen or otherwise hacked, patients don’t have to be notified. Dentists took their word for it, only later to discover that encryption was a lie fabricated to sell more software).

    “Vulnerability Note VU#619767

    Open Dental installs with default database credentials”

    http://www.kb.cert.org/vuls/id/619767

    “Thanks to Justin Shafer for reporting this vulnerability.” – Homeland Security, September 6, 2016.

    ————

    I think Justin’s reporting of Patterson’s Eaglesoft vulnerability pissed off a highly regarded, but vengeful CEO who has a temper, has connections, and doesn’t care who his connections hurt.

    This was not a hack. The FBI was simply wrong to go after Justin Shafer in the first place, and then discovered they needed an excuse to save face. In my opinion, frustration was used as a tool to push Justin over the line and out of sight.

    Why did nobody in the Justice Department question Patterson’s motives for turning in Shafer, and for what? For exceeding authorized viewing of unprotected PHI that Patterson made publicly-available to everyone on the internet by a Patterson employee?

    As a matter of fact, Justin warned the FBI about the ABSENCE of security offered by popular anonymous FTP servers months before the FBI finally issued a formal warning. (See: “United States: FBI Warns Cyber Criminals Are Targeting Unsecured FTP Servers In The Healthcare Industry” By Peter Stockburger for Mondaq, May 10 2017).

    http://www.mondaq.com/unitedstates/x/592744/Data+Protection+Privacy/FBI+Warns+Cyber+Criminals+Are+Targeting+Unsecured+FTP+Servers+In+The+Healthcare+Industry

    Nevertheless, I still have faith in our justice system. It may smell bad at times, but truth floats.

    A few minutes later, I added: “Sit back and wait for the Streisand effect.” Justin deserves it.

    Until better times, please remember Justin and his family. Big business vengeance hurts deep.

    https://www.gofundme.com/help-jennifers-family

    Darrell Pruitt

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: