Chord Specialty Dental Partners Announces Massive Data Breach

 

Despite today being April Fools Day, today's post is true.  Quite honestly I wish it wasn't.

As you regular readers know, I'm constantly screaming about data security from the mountaintop.  However, I don't normally identify offices affected by a breach by name.  This one is different.  This breach is newsworthy because of the number of patients affected.  DSOs are prime targets for data breaches as they have interconnected systems that allow criminals to get *more* data than they could grab from a single office.  This particular breach has the potential to affect 173,000 patients and because of that, I think it's important to know about.

I want to make clear that this post is not meant to embarrass or demean the DSO.  This post is to remind all of us that security is a hugely important topic.  Taking your eyes off target can result in your practice being affected by something like this.  Incidents like this are hard to stop by the efforts of a private practice's IT contractor.  To get the best protection possible, an office needs security professionals.  There are several companies out there that can help make you as secure as possible.  My current favorite is Black Talon Security.  Also, to help you to be able to restore your info without paying the ransom, having solid and verified backups is critical.  That's why I trust DDS Rescue to provide backup services to my practice.

I'd also like to commend Chord Specialty Dental Partners for following the letter of the law.  HIPAA requires specific reporting and it looks like they are doing all they can to meet those reporting requirements.  These incidents are stressful and difficult on everyone involved and it appears that Chord is doing everything they can.  Below is their breach announcement as required by HIPAA.

NOTIFICATION OF DATA SECURITY INCIDENT

March 14, 2025 – On or around September 11, 2024, CDHA Management, LLC and Spark DSO, LLC dba Chord Specialty Dental Partners (“Chord”) discovered suspicious activity related to an employee’s email account. Upon discovery, we took immediate action to secure the account and engaged a team of third-party specialists to assist with determining the full nature and scope of the incident. The investigation determined that an unauthorized individual had gained access to several accounts for a limited time between August 19, 2024, to September 25, 2024. Therefore, we conducted a comprehensive review of the information potentially affected. The type of information varies by individual and may include name and one or more of the following: address, Social Security number, driver’s license, bank account information, payment card information, date of birth, medical information, and health insurance information.

At this time, Chord is not aware of any evidence to suggest that any information has been or will be fraudulently misused. However, we were unable to rule out the possibility that the information could have been accessed. Therefore, in an abundance of caution, we are notifying potentially impacted individuals of this incident.

In response to this incident, we immediately began an investigation and reviewed our policies and procedures related to data security. We are also providing potentially affected individuals access to credit monitoring and identity protection services as an added precaution. If you have questions about this incident or would like to enroll in the credit monitoring and identity protection services, please call 1-833-998-6327, Monday through Friday, between 8 AM and 8 PM ET, excluding holidays. You may also write to us at 1801 West End Ave., Suite 410, Nashville, TN 37203.

In general, we encourage potentially affected individuals to remain vigilant against incidents of identity theft and fraud by reviewing credit reports/account statements and explanation of benefits forms for suspicious activity and to detect errors. Under U.S. law, individuals are entitled to one free credit report annually from each of the three major credit reporting bureaus, TransUnion, Experian, and Equifax. To order your free credit report, visit www.annualcreditreport.com or call 1-877-322-8228.

Individuals have the right to place an initial or extended fraud alert on a credit file at no cost. If individuals are a victim of identity theft, they are entitled to an extended fraud alert lasting seven years. As an alternative to a fraud alert, they have the right to place a credit freeze on a credit report. The credit freeze is designed to prevent credit, loans, and services from being approved without consent. Pursuant to federal law, individuals cannot be charged to place or lift a credit freeze on your credit report. 

Should individuals wish to place a fraud alert or credit freeze, please contact the three major credit reporting bureaus listed below:

TransUnion                           Experian                                Equifax
1-800-680-7289                      1-888-397-3742                      1-888-298-0045
www.transunion.com              www.experian.com                 www.equifax.com

Individuals can further educate themselves regarding identity theft, fraud alerts, credit freezes, and the steps to protect their personal information by contacting the credit reporting bureaus, the Federal Trade Commission (FTC), or their state Attorney General. The FTC also encourages those who discover that their information has been misused to file a complaint with them. The FTC may be reached at 600 Pennsylvania Ave. NW, Washington, D.C. 20580; www.identitytheft.gov; 1-877-ID-THEFT (1-877-438-4338); and TTY: 1-866-653-4261. Instances of known or suspected identity theft should also be reported to law enforcement, the state Attorney General, and the FTC.