DMS Health Technologies, Inc.
Your Personal Info Could Be
Exposed Online After
This Hospital Breach
Breach Description
DMS Health Technologies, Inc., a provider of mobile imaging services, experienced a significant data breach that was first reported on June 16, 2023. The breach affected at least three rural health care systems, including Sanford Health with 21,211 patients, Avera with 1,500 patients, and Monument Health with 2,500 patients, all headquartered in South Dakota. The unauthorized access to DMS’s network occurred between March 27 and April 24, 2023, during which an unauthorized party obtained protected health information (PHI) from patients. The compromised PHI may have included names, dates of birth, dates of service, physician names, and exam types[1].
DMS Health Technologies is a third-party vendor that contracts with health systems to provide imaging services. There is some ambiguity regarding whether DMS is a HIPAA business associate or a covered entity, which has implications for compliance and breach management responsibilities. If DMS bills patients directly for its services, it would be considered a provider and a HIPAA covered entity. However, if the health systems bill patients for DMS services, then DMS would be a business associate[1].
The affected health care providers have been issuing press releases and notifications to the affected patients, and DMS will be notifying affected patients as well. Sanford Health, for example, has noted that it will be notifying patients, including 10,334 in North Dakota, 4,967 in Minnesota, 2,685 in South Dakota, 1,058 in Iowa, and others in 36 additional states[1].
DMS has taken steps to secure its network and is reviewing its policies and procedures to prevent future incidents. They have also provided notice to federal law enforcement and the U.S. Department of Health and Human Services. Affected individuals are encouraged to remain vigilant against identity theft and fraud and to monitor their credit reports[4].
As of the time of the report, there was no HIPAA breach report on file at the Office for Civil Rights (OCR), which is required for breaches affecting 500 or more individuals within 60 days of discovering the breach[1]. However, it is important to note that a separate entity, Doctors’ Management Services, Inc., had a resolution agreement and corrective action plan with the OCR for a ransomware breach, but this is not directly related to the DMS Health Technologies incident[2].
For more information, individuals can contact DMS’s dedicated assistance line or visit their website for further details on the breach and steps to protect personal information[4].
Citations:
- https://thehipaaetool.com/dms-technologies-health-data-breach-grows/
- https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/dms-ra-cap/index.html
- https://www.bleepingcomputer.com/news/security/200-000-facebook-marketplace-user-records-leaked-on-hacking-forum/
- https://www.dmshealth.com/notice-of-data-event/
- https://www.eurofins.com
- https://www.valleynewslive.com/2023/09/15/personal-information-thousands-sanford-health-patients-potentially-compromised/
- https://techcrunch.com/2024/02/14/slack-brings-ai-fueled-search-and-summarization-to-the-platform/
- https://www.healthcareitnews.com/news/ocr-settles-ba-ransomware-breach
- https://www.bleepingcomputer.com/news/security/microsoft-exchange-update-enables-extended-protection-by-default/
- https://www.kfyrtv.com/2023/09/22/mountrail-county-medical-center-informs-patients-third-party-data-breach/
- https://www.dmas.virginia.gov
- https://www.inforum.com/news/north-dakota/private-information-of-over-20-000-sanford-patients-potentially-compromised-in-data-breach
- https://help.twitter.com/en/rules-and-policies/platform-manipulation
- https://apps.web.maine.gov/online/aeviewer/ME/40/f6d4016c-effa-4e0b-8371-0a44f4967030.shtml
- https://www.pattersondental.com
- https://www.dakotanewsnow.com/2023/09/16/sanford-health-imaging-vendor-hit-by-data-security-incident/
- https://www.securitastechnology.com