PHI of 391,472 Patients of Sarrell Dental Potentially Compromised Due to a Ransomware Attack


A ransomware attack on Sarrell Dental in Alabama, is non-profit Children’s dental and optical services provider resulted in the potential compromise of the protected health information (PHI) of its patients.

Sarrell Dental is the biggest dental services provider in the state of Alabama with 17 clinics in operation. In July 2019, cyberattackers deployed ransomware on its network, which executed widespread encyption of files. Upon knowing about the attack, Sarell Dental deactivated the network and investigated the incident. The clinics affected by the attack stopped business operations for two weeks as the breach was being investigated and the systems were still being repaired. The provider received a ransom demand but did not pay it. The systems backup was used to restore patient information.

A team of third-party computer forensics experts was involved in the investigation to find out the magnitude of the breach. According to the investigation findings, the attackers might have accessed Sarrell Dental systems since January 2019. There was no evidence found that indicate the access or duplication of patient information by the attackers, however, the possibility cannot be eliminated. Thus far, there is no report of misuse of any patient information.

The components of the system that the attackers potentially accessed were found to hold patients’ PHI which include names, birth dates, addresses, Social Security numbers, medical insurance details, treatment data, dates of service, procedure codes, diagnosis codes, and the treating dentist’s name.

Sarell Dental already reported the incident to law enforcement and sent the breach notiication report to the Department of Health and Human Services’Office for Civil Rights (OCR). Based on the OCR breach report, 391,472 patients had their PHI potentially exposed.

The provider has since enforced extra security controls and network and enhanced system monitoring functions to avoid future attacks .

The affected patients received notification letters on September 12, 2019 and were offered free credit monitoring and identity theft protection services for one year.