Per the notice below, Great Expressions Dental Centers has settled a data breach lawsuit for $2.7 million.

Dental Center Agrees to Settlement of $2.7 Million for Data Breach

Description

Great Expressions Dental Centers, a Michigan-based dental service organization with nearly 300 affiliated practices across the United States, experienced a significant data breach in February 2023.  The incident affected approximately 1.9 million patients and employees.  Over a six-day period, an unauthorized party potentially accessed personal information of both employees and patients.  For employees, the compromised data included names, Social Security numbers (SSNs), driver’s license numbers, and even bank account and routing information.  Patient information at risk contained names, birth dates, mailing addresses, Social Security numbers, credit card numbers, and details from medical and dental records.  Great Expressions began notifying affected individuals on May 12, 2023, approximately three months after the breach occurred.

Basis of the Case

An initial case was filed by a plaintiff on May 18, 2023, following the data breach at Great Expressions Dental Centers.  A consolidated class action complaint was later filed on August 28, 2023, that combined multiple suits related to the incident.  The plaintiffs allege that Great Expressions had a duty to protect patient and employee data but failed to take reasonable precautions.  Specifically, they claim the company did not encrypt the sensitive data that was exposed during the breach.  The plaintiffs also argue that the defendant failed to implement appropriate security measures, including:

• Enforcing the principle of least privilege (PoLP)
• Maintaining vigilant patching and updating of systems
• Providing proper security training for employees

Because of the breach, the plaintiffs contend they now face potential misuse of their personal information.  They argue they must invest time and effort in monitoring their accounts to detect and prevent fraudulent activity, causing inconvenience and stress.

Award Settlement

A settlement was agreed on by all parties in mid-October of 2024.  In the settlement, Great Expression Dental Centers agreed to provide cash benefits to two subclasses of affected individuals.  Those whose Social Security numbers were compromised will receive up to $500 for ordinary out-of-pocket losses, and up to $40 for ordinary attested time to respond to the incident.  Those whose Social Security numbers were not affected will be compensated for up to two hours of time spent responding to the data security incident at a rate of $20 per hour.  In addition, the attorneys representing plaintiffs and class members are slated to be paid $900,000, plus expenses up to $25,000.

Call to Action

As part of the settlement, Great Expression Dental Centers agreed to implement and maintain the following security measures to protect sensitive information in the future.  Some of these measures include the following:

• Multi-factor authentication (MFA): Implement and maintain an MFA solution for accessing the company’s network via a virtual private network (VPN).  MFA serves as an additional layer of security in an era in which passwords are too easily compromised by attacks.

• IP address whitelisting: Maintain a whitelist of approved IP addresses permitted to connect to their networks.  This blocks connection attempts from unknown or potentially malicious sources.  An allow list is much easier to maintain than the practice of blacklisting IP addresses, and more effective.

• Vulnerability management: Implement and utilize a comprehensive vulnerability management tool to conduct regular scans and facilitate enterprise-wide patching.  It is often recommended that these scans and risk assessments be conducted by experienced third-party specialists.

• Data retention and destruction policies: Create and maintain policies that govern the retention and destruction of patient information.  Sensitive data that is no longer needed should be properly destroyed.

• Encryption management: Continue the integration of an encryption management solution to ensure all workstations are properly encrypted.  By encrypting all systems, compromised data cannot be accessed without the required encryption key.