Article Lead Image

Photo via Steve Snodgrass/Flickr

The American Dental Association accidentally infected dental offices with malware

The tooth hurts.


AJ Dellinger


The way your dentist closely examines your teeth for bacteria and decay is how they will also have to watch their computers for malware thanks to an infection spread by the American Dental Association (ADA).

The infection came from a USB drive mailed to dental offices by the ADA, the largest dental association, that was supposed to contain an updated version of the dental procedure codes that dental offices use for billing and insurance.

One of the recipients of the drive, a forum user named Mike, posted about a particularly suspicious file that was allegedly found on the drive. He plugged the drive into a machine separate from his office’s system and examined the source code, where he found a bad actor buried on the drive.

The code attempts to open a website that has been long noted as a malware distribution hub that attempts to install software to compromise a user’s computer. A variety of antivirus platforms, including Sophos, Avira, and Google’s Safe Browsing URL scanner mark the site as malicious.

“Good job,” Mike wrote. “The ADA just sent a malware injector to every ADA dentist in the US. Dumb shits.”

The attack would be a particularly big score for any hacker or scammer, who may suddenly find themselves in control of potentially thousands of computers that contain medical records, personal information, and billing details for patients. The ADA consists of over 159,000 members and the organization distributed more than 37,000 of the USB drives among them.

According to the ADA, which provided a statement to security expert Brian Krebs, only a small percentage of the drives were infected and anti-virus software “should” detect the malware if present. 

That seems to skirt the issue, of course, which is that the largest dental organization in the country put a huge swath of its customers at risk by ordering the USB drives via a subcontractor of an ADA vendor who had them manufactured in China.

The information held on computers at dental offices is considerably valuable to a person with bad intentions; a dental receptionist in New York ran a identity theft ring using information taken from her work computer. The receptionist and three others were accused of 394 charges relating to theft of $700,000, all stemming from information taken from personal files of patients.

Dentists who need to get their hands on the dental procedure codes can download them without worry from the ADA’s website. The ADA suggests that members who have received the USB drive but haven’t used it yet simply throw it away. 

Shortly after publication, the ADA provided the following statement:

In late 2015, the American Dental Association (ADA) began distributing the 2016 CDT Manual, which included flash drives in the back pocket. A small percentage of those flash drives were found to contain malware, which was transferred to the flash drives from a subcontractor of an ADA vendor during the manufacturing process.

Upon learning that some flash drives contained malware, the ADA promptly informed all customers via email or letter of the potential problem. The ADA also worked with our resellers and distributors to make sure their customers were notified. The notification to customers included the following information:

– Anti-virus software should detect the malware if it was present.
– Customers who had not used the flash drive should discard it.
– If customers had already used the flash drive and it worked as expected (that is, it displayed a menu linking to chapters of the 2016 CDT manual), the flash drive was not infected.

All customers were given a link to an electronic version of the 2016 CDT manual as an alternative to the flash drive.

To date, fewer than 10 people have reported to the ADA that their flash drive was infected.


The Daily Dot