- In July 2019, Sarrell staff discovered malicious software on servers within the network.
- The software was ransomware, a type of malware or computer virus that is used to encrypt files on the server. It is accompanied with a message demanding payment in return for the ability to decrypt the files impacted by the virus. We did not pay the ransom.
- The Sarrell Information Technology team deactivated the network immediately after discovering the computer virus and engaged an independent computer security firm to investigate.
- The Sarrell Dental practices were closed for two weeks in order to rebuild the business systems. To protect health information in the future, we rebuilt our business systems with updated security and virus protection for the entire Sarrell network before reopening our practices.
- Our network and systems are monitored with upgraded capabilities to ensure that our system and the information we store will remain secure.
- The investigation has not found evidence that any files or information were copied, downloaded, or removed from our network, or that information that may have been involved in this incident has been misused. However, we cannot rule out the possibility that data was compromised.
- As a precaution, Sarrell Dental notified affected individuals by letter and made free credit monitoring and identity protection available.
Frequently Asked Questions
In July 2019, we detected ransomware on Sarrell Dental computers that appears to have been the result of an intrusion that may have begun in or around January 2019. Ransomware is a type of malware (computer virus) used to encrypt files and demand payment in return for the decryption key. We immediately deactivated our network, temporarily closed our practices, engaged an independent computer security firm to investigate, and did not pay a ransom.
The investigation has not found evidence that any files or information were copied, downloaded, or removed from our network. In addition, we have not discovered any evidence that information that may be involved in this incident has been misused. However, because we cannot rule out the possibility that sensitive information was obtained from the network, we are providing information about resources to assist those who were potentially impacted to protect their information.
What personal information was exposed?
The affected computer systems stored information including individuals’ names, addresses, dates of birth, Social Security Numbers, health insurance information, and treatment information. Treatment information can include some combination of dates of service, procedure codes, diagnosis codes and/or the name of treating dentist.
We cannot be certain whether or how much of this information was exposed. However, based on the investigation, we have not found evidence that any files were copied, downloaded, or removed from our network. In addition, we have not discovered any evidence that any information potentially involved in this incident has been misused.
I did not receive a letter stating that my information was compromised but feel that I should have. Can you help me?
Only those people whose personal information may have been involved received notification letters. The review of the data was extensive, and all of the affected individuals were notified by letters that were mailed on September 12, 2019.
Has law enforcement been notified?
Yes. Since this incident affected people in multiple states, Sarrell Dental reported it to federal law enforcement agencies and is cooperating with that investigation.
What is Sarrell Dental doing to prevent this kind of loss from happening again?
Sarrell Dental is taking this incident very seriously and regrets any concern this causes you. We have taken steps to prevent a similar event from occurring in the future. When we became aware of the incident, we immediately deactivated the entire network and took all practices offline while we worked to restore data. We also completely reformatted all servers that were found to be impacted and have updated security and virus protection for the entire Sarrell Dental network. We continue to implement additional security measures and we are committed to protecting the security and integrity of all the information we collect, store, and use.
What is the deadline for registering for the pre-paid package of identity protection services?
December 12, 2019
Has my personal information been misused?
At this time, there is no evidence that there has been any misuse or attempted misuse of the information exposed in this incident.
Who should I contact if I have questions?
You can call the number listed on the letter you received if you have more questions, or for information on the protection services that are being provided.
What are the risks of identity theft with the information that was exposed?
Receiving a letter does not mean that you are a victim of identity theft. At this time, there is no evidence that your information is at risk as a result of this incident; however, Sarrell Dental has notified you of this incident as a precaution.
We recommend that you review the letter and the information provided.
Is there anything I need to do in response to the exposure of my personal information?
Once you are enrolled in the ID Experts membership, you may also take advantage of your rights to the free fraud alert services offered by the three major credit bureaus. Placing fraud alerts will provide your credit with additional protection. In addition, doing so will give you access to copies of each of your credit reports at no cost to you.