Notice of UB Dental Clinic third-party data security incident: Data Media Associates

By the University at Buffalo 

Data Media Associates LLC (DMA), a third-party organization that provides billing services to the UB Dental Clinic, has informed clinic officials that DMA was one of an estimated 2,500 organizations worldwide recently affected by the MOVEit software vulnerability and subsequent data breach earlier this summer impacting millions of people.

DMA – which uses MOVEit for file transfer services – informed clinic officials on July 20, 2023, that the cyberattack on MOVEit systems may have resulted in unauthorized access of personal health information of approximately 765 UB Dental patients who received billing statements from the clinic between May 4 and May 26, 2023. No systems directly operated or maintained by UB Dental were breached or compromised.

UB Dental has been assured that DMA took immediate steps to patch its MOVEit system in accordance with the developer’s instructions and thereafter undertook a comprehensive investigation to learn more about the scope of any potentially affected data. Their investigation revealed that certain data stored within MOVEit may have been acquired without authorization.

At this time, it is believed that only those patients who received billing statements from the UB Dental clinic between May 4 and May 26 may have been impacted and had the following information compromised: practice demographics, patient account number, patient name, guarantor demographics, statement date, amount due, service date, service/payment descriptions, charge amount, payments or adjustments. No credit card information or Social Security numbers were part of the breach.

UB Dental will directly contact those patients affected by mail this week with information about steps patients can take to monitor their credit and safeguard their personal information.

UB Dental takes data privacy and information security very seriously and this matter is of utmost and vital importance to the clinic. UB information technology (UBIT) is leading the UB team that continues to evaluate the extent of the impact on UB Dental patients.

Any UB Dental patients with questions about the breach may contact the UB Dental clinic directly at 844-248-9266.

About Data Media Associates/MOVEit Data Breach

•What happened? In June 2023, DMA became aware of an alert issued by the Cybersecurity and Infrastructure Security Agency (“CISA”) addressing a critical vulnerability affecting MOVEit Transfer, a managed file transfer solution used widely by businesses and government agencies, including DMA, to securely transfer data. After becoming aware of the alert, DMA took immediate steps to patch its MOVEit system in accordance with the developer’s instructions. DMA thereafter undertook a comprehensive investigation with the assistance of leading external experts to learn more about the scope of any potentially affected data.

DMA’s investigation concluded on June 30, 2023, and revealed that certain data stored within MOVEit may have been acquired without authorization. Since that time, DMA has been working diligently to provide notice to its partner organizations and gather information needed to provide notification to potentially affected individuals.

•What information was involved? The information involved in this incident may have included practice demographics, patient account number, patient name, guarantor demographics, statement date, amount due, service date, service/payment descriptions, charge amount, payments, or adjustments. No credit card information or Social Security numbers were part of the breach involving UB Dental patients.

•What is DMA doing to protect patient data? As soon as DMA discovered this incident, the above-described steps were taken. DMA has taken all remediation measures recommended by the MOVEit software developers. DMA will also be evaluating additional safeguards that can be put in place to further enhance the security of the data entrusted to them.

•What can patients do? Patients can follow these recommendations to help secure and monitor their protected health information. Patients should also review account statements and explanation of benefits forms and report any errors or activity they do not recognize to their insurance carrier.

•For more information: Any UB Dental patients with questions about the breach may contact the UB Dental Clinic directly at 844-248-9266.