Smile Brands Breach Impacts 2.5 Million Individuals

The number of individuals affected by a data breach at one of the largest providers of dental support services in the United States has increased to more than 2.5 million.

Smile Brands, based in Irvine, California, disclosed a data security incident involving ransomware back in June 2021. The company became aware of a ransomware attack affecting some of its computer systems on April 24 2021.

An investigation into the incident determined that certain protected health information (PHI) had been acquired by an unauthorized third-party.

Data compromised in the incident included patients’ names, addresses, telephone numbers, Social Security numbers, dates of birth, health insurance information and/or diagnosis information.

Smile Brands’ report to the United States Department of Health and Human Services, made in June 2021, indicated that 1200 patients were being notified of the data breach. 

That number was later revised to 199,683 individuals. In the most recent update, supplied to the Maine Attorney General’s Office on April 12 2022, the total number of individuals affected by the breach was listed as 2,592,494.

It wasn’t apparent whether the breach had impacted Smile Brands employees as well as its patients. 

In the most recent version of Smile Brands’ data breach notice, recipients are warned that an unauthorized third party may have acquired their “personal financial information” and “government-issued identification number.”

In December 20201, a lawsuit was filed against Smile Brands and Sahawneh Dental – one of Smile Brands’ 700 affiliated dental offices – over the ransomware attack and related data exposure. 

The 30-page suit claims that the defendants “negligently left their computer systems open to attack” and that the contents of those systems “were available for the unauthorized person(s) to access, view, acquire and exfiltrate for their nefarious use.”

“Twenty years ago, hacking victims would lose data and say, ‘Oh well, the data’s gone.’ Attribution and extortion were less of a concern as a platform for sharing or selling stolen data did not exist like it does today,” commented Matthew Warner, CTO and co-founder at Blumira.

“Today, ransomware is much more focused on blackmailing victims, getting data and doing more with that data.

What’s Hot on Infosecurity Magazine?