Westend Dental LLC was breached back in October 2020. Nevertheless, instead of following HIPAA procedures to disclose a data breach, they denied the attack and incurred several other HIPAA violations. Now, four years after the original breach, the company has been sentenced in court to pay a fine of $350,000.
In the public court documents, we can find quite a gap between Westend Dental IT practices and the different requirements that HIPAA dictates. But let’s explore how the store went down. To understand this story better, let’s start by understanding HIPAA.

HIPAA stands for the Health Insurance Portability and Accountability Act. A U.S. law passed in 1996 provides data privacy and security to protect medical information. HIPAA contains five basic rules that we must be aware of:
- Privacy Rule: This rule dictates that Protected Health Information (PHI) must be safeguarded. While including the patient’s rights to access, amend, and obtain copies of their health records and how they are shared. (PHI can only be shared with specific consent from the patient, except in some emergency situations or when required by law.)
- Security Rule Administrative Safeguards: Healthcare organizations must have policies and procedures to protect ePHI (electronic PHI), such as risk assessments, training, and incident response protocols. These measures include protecting the physical storage and transmission of ePHI and technical controls(Encryption, firewalls, and access controls) to ensure that ePHI is only accessed by authorized personnel in transit and at rest.
- Breach Notification Rule: If PHI is compromised in a breach, the healthcare organization must notify affected individuals, the Department of Health and Human Services (HHS), and, in some instances, the media within a specific time frame, typically within 60 days of the breach discovery.
- Transactions and Code Sets Rule Standardization: Electronic healthcare transactions (billing and insurance claims) must use standardized formats and codes to improve efficiency and reduce errors.
- Enforcement Rule Compliance and Penalties: Covered entities (like healthcare providers, health plans, and healthcare clearinghouses) must comply with HIPAA, or they face penalties for violations. Penalties can be significant, ranging from fines to criminal charges, depending on the severity of the violation.
When we look at the case of Westend Dental, after the breach occurred in October 2020, one of the employees sent a notification to customers explaining that their data was lost due to a mistake while formatting the hard drive of a server. The e-mail reads “This was not an intrusion, but an incident of data being lost when the on-site internal hard drive of the server got formatted by mistake.” – Westend Dental Quote extracted from court report.1
Later in the same report, we find that “Two years after the Data Breach, Westend Dental submitted a data breach notification form to the OAG indicating the Data Breach affected fewer than 500 individuals, but the actual number of affected patients is unknown and may be much greater because Westend Dental never completed a forensic investigation.”
Another reason for finding dental practice was the findings of PHI on social media. Some were posted in response to customer reviews, oversharing publically health information. Others were posted as advertisements on their social media profiles, while the pictures identified customers and showed Health records; all were posted without the customer’s consent.
Some other concerns include that before 2023, “HIPAA Policies were never given to and were not readily available to any Westend Dental employees.” This last part was extracted literally from the court report. Without proper policies, it would only seem pertinent that customers would not get HIPAA-related training. Neither did they post, as required, a HIPAA Notice of Privacy Practices on their website.
Moreover, physical security was non-existent, as the server resided in the employee break room. During the investigation initiated by the state of Indiana, it was discovered that passwords were reused between machines and stored in the server in plain text. The company did not implement a secure password policy until January 2024
There were many more identified in the 40 pages of the court case. However, the critical part is understanding what we can take away from this case.
On the one hand, there are several technical controls that we should learn from this :
- Protect the physical location of the servers, especially those that contain PHI.
- Do not share passwords; ensure that every user has their own password; this helps trace who performed which action.
- Use a firm password policy to ensure the accounts are safe (and do not store passwords in plain text or Post-it notes). If possible, enable multi-factor authentication on all the accounts, but at least admin accounts should enforce MFA. This ensures that even if the account is compromised, they won’t be able to log into the systems.
- If you have a website, post a HIPAA Notice of Privacy Practices. (If you don’t have to comply with HIPAA, a privacy practice notice is still a great idea.)
On the other hand, there are other administrative controls that we can learn :
- If you must comply with any regulation, especially HIPAA, ensure that employees understand what the regulation requires and provide the required policy training.
- Ensure that all employees receive appropriate information security training. Understanding everyone’s role in the organization’s security posture is fundamental to helping protect it.
- Ensure that if you post some images of patients, you get their written consent and that pictures do not include PHI data on them.
- Keep it simple when replying to comments or reviews; do not share any details. If needed, request to have a conversation via phone or e-mail.
- If you are involved in a data breach, do not be ashamed of bringing a third party to play
- Ensure that potentially impacted users are notified. It is better if our customers are aware of a potential issue so they can act to prevent further damage than if they are caught off-guard. No one likes to admit they made a mistake. Nevertheless, you can always amend the list of victims’ impacted information, but it shows your customer that you are responsible and take prompt action.
Sources:
https://www.malwarebytes.com/blog/news/2025/01/dental-group-lied-through-teeth-about-data-breach-fined-350000
https://storage.courtlistener.com/recap/gov.uscourts.insd.218861/gov.uscourts.insd.218861.1.0.pdf
If you have any questions or want to reach out, feel free to visit my contact page: