Most people think that malicious computer malware is spread as a result of downloading a file from a website, an e-mail attachment or an online file sharing service. Yet it is also possible to transmit malware through a simple USB thumb drive. The American Dental Association (ADA) and thousands of dentists across the United States recently found this fact out the hard way. It appears as though the ADA mistakenly e-mailed USB thumb drives laden with malware to a considerable portion of its members. The ADA’s motivation for mailing the thumb drives was to provide dental offices with recently updated codes for dental procedures. Dental offices use these codes to track their procedures in order to facilitate billing and insurance processes. According to representatives from the ADA, the USB drives were made in China by an ADA vendor subcontractor. All in all, nearly 40,000 thumb drives were sent out to members. Thankfully, this figure does not represent a majority of the association’s 159,000 members.

American Dental Association

How the Problem was Identified

The mailing of these compromised USB thumb drives was first discovered when an online post was made to a DSL Reports Security Forum. The forum member, dubbed as “Mike from Pittsburgh,” felt that the USB thumb drive mailed from the ADA seemed a bit suspicious. Mike’s forum post blasts the ADA for being its typical “inept” self. He went on to explain why the ADA should have made the new codes downloadable rather than sent through “snail mail.” It is clear that the ADA made an egregious error in judgment by mailing out unknown USBs to dental offices and expecting employees to plug them into their computers that have PHI/HIPAA on them. When Mike examined the code within one of the flash drive’s files, he found that it attempts to open a page on the world wide web that Internet experts have long associated with the distribution of malware. Web aficionados like Mike consider the domain in question to be run by criminals who are hell-bent on infecting visitors’ computing devices with nasty malware. The result of this malware is a full transfer of control of the user’s computer to the hackers.

The ADA’s Response

The ADA responded to the bad news about its compromised thumb drives by rattling off an e-mail to all members who shared their e-mail address with the seemingly trustworthy organization. The e-mail states that the ADA has received numerous reports of malware on its mailed thumb drives as well as the organization’s 2016 version of the CDT manual. The flash drives were actually placed in a pocket within the back cover of the manual. Yet the ADA went on to state that dental offices’ anti-virus programs would be able to easily identify and remove the malware. The unfortunate truth is that plenty of dental offices do not regularly update their anti-virus protection. As a result, many were negatively impacted by the malware-laden CDT 2016 thumb drive. The ADA capped off its apology letter by requesting that dental offices trash the flash drive if it had not already been used. The letter also encouraged members to download a PDF version of this year’s CDT manual as it contains the same information found on the thumb drives without the virus.

The ADA is adamant that some of the mailed flash drives do not contain malware. The organization encouraged those who used the flash drive without a hitch to continue using it across posterity. Yet the ADA was clearly in the wrong by suggesting that each dental office’s anti-virus software would detect the malware. In reality, only some anti-virus programs are capable of identifying and removing the malware. Add in the fact that many dental offices fail to regularly update their anti-virus protection and the mailing of these tainted USB drives becomes an enormous problem.

Lean on our Professional IT Services to Protect Your Valuable Hardware, Software and Networks

PNJ Technology Partners is the trusted choice when it comes to staying ahead of the latest information technology tips, tricks, and news. Contact us at (518) 459-6712 or send us an email at info@pnjtechpartners.com for more information.