Dental Practice Cyber Incidents: 7 Breaches That Exposed the Industry’s Blind Spots (2024–2025)

Your front desk gets hit with a fake Delta Dental audit notice. A billing coordinator clicks a link. Three hours later, every patient record in your practice management system is encrypted and unreadable. The ransom demand arrives by email. Your phone is ringing — patients have appointments tomorrow.

This is not hypothetical. It happened to First Choice Dental (228,000 patients), PracticeMax (165,000+ patients), and Henry Schein (a global dental supply giant) within a 24-month span. In the first 10 months of 2024 alone, the dental data of 88 million people was exposed via breaches reported to HHS — a figure that represents a sector-wide crisis that most dental practices are not taking seriously.

The numbers are unambiguous: healthcare is the most attacked critical infrastructure sector in the U.S., ransomware attacks on healthcare surged 58% in 2025, and dental practices — with dense PHI, aging IT infrastructure, and minimal security training — sit squarely in the crosshairs. A complete dental patient record commands $250–$500 on dark web markets. That’s more valuable than a credit card number.

This post documents seven real dental cyber incidents — from a 165,000-patient billing vendor breach to a $350,000 state settlement for an Indiana practice that tried to hide a ransomware attack — and explains exactly why dental offices are getting hit, what OCR is doing about it, and what you need to do this quarter to stop being the next headline.

The 7 Breaches

1. PracticeMax (2021/reported 2022) — 165,698 Patients, Billing Vendor Cascade

The attack on PracticeMax — a billing and practice management vendor serving dental, urgent care, and healthcare clients — began on April 17, 2021. Attackers had access to the PracticeMax network for three weeks before ransomware was discovered on May 1. They deployed the ransomware, encrypted a server containing patient data, and departed with copies of files containing PHI for over 165,698 individuals.

But the story gets worse. PracticeMax took months to notify affected patients. The forensic investigation wasn’t complete until February 2022 — 13 months after the initial breach. Additional notification letters went out in March 2022, and the company filed additional state breach notifications in June 2022, meaning some patients learned their data was exposed over a year after the attack occurred.

What was exposed: Names, Social Security numbers, dates of birth, addresses, treatment and diagnosis information, health insurance information, financial information, patient account numbers, passport numbers, driver’s license numbers, prescription information, and provider usernames and passwords.

Who was impacted: Multiple healthcare clients including dental practices, urgent care centers, and major insurance companies (Anthem, Humana). Fast Track Urgent Care alone reported 258,411–259,411 individuals affected through its relationship with PracticeMax.

The failure point: No MFA on the billing vendor’s remote access systems. No documented security training program at the vendor. No incident response plan for a ransomware scenario. And critically — delayed breach notification that violated HIPAA’s 60-day requirement.

The regulatory consequence: Class action litigation filed in U.S. District Court for the District of Arizona. Multiple state AG investigations. The case established that a practice can be victimized by a breach at a vendor they have no direct control over — and still bear HIPAA responsibility for the downstream exposure.

2. Henry Schein (October–November 2023) — ALPHV/BlackCat, 166,432 Individuals

On October 15, 2023, Henry Schein — one of the world’s largest dental distributors and healthcare solutions companies — detected a cyberattack on its manufacturing and distribution operations. The company immediately shut down affected systems. ALPHV/BlackCat, the ransomware group responsible, claimed responsibility and alleged they had stolen 35 terabytes of sensitive data including customer bank account numbers and credit card information.

Then the attack escalated. A second attack occurred in November 2023. BlackCat re-encrypted Henry Schein’s systems after initial ransom negotiations broke down, threatening further encryption if demands weren’t met. The company’s e-commerce service was suspended. Order processing switched to manual alternatives. IT services were down for approximately one month.

Over a year later (2024), Henry Schein confirmed in a Maine AG notification that 166,432 individuals had their personal information compromised. An external cybersecurity firm spent much of the first half of 2024 identifying exactly which files and individuals were affected.

What was exposed: Customer financial information (bank account numbers, credit card numbers), business data, operational information for dental practices depending on Dentrix software integration. The distribution disruption affected thousands of dental practices that rely on Henry Schein for supplies.

The failure point: ALPHV/BlackCat gained initial access through compromised credentials, not a zero-day exploit. MFA was not enforced on the access vector exploited. The second attack demonstrated the group was watching and responding to the company’s actions in real time.

The regulatory consequence: Maine AG breach notification filed. OCR breach report. FBI involvement. The Department of Justice later disrupted BlackCat’s infrastructure in December 2023 — but not before the group had already extracted maximum damage from Henry Schein and dozens of other healthcare organizations.

3. Managed Care of North America (MCNA) Dental (March 2023) — 8.9 Million Patients, Largest Healthcare Breach of 2023

MCNA Dental is the largest dental insurer in the nation for state-sponsored Medicaid and Children’s Health Insurance Programs — covering over 5 million members across eight states. On March 6, 2023, the company’s IT team discovered something was wrong. A forensic investigation revealed that LockBit ransomware had been inside MCNA’s network since February 26 — nine days of access to systems containing the dental records, insurance information, and personal data of nearly 9 million patients.

On March 27, LockBit claimed the attack and demanded a $10 million ransom. MCNA did not pay. On April 7, 2023, LockBit published all 700 gigabytes of stolen patient data on its dark web leak site, making it freely downloadable to anyone.

What was exposed: Full names, dates of birth, addresses, phone numbers, email addresses, Social Security numbers, driver’s license numbers, government-issued ID numbers, health insurance information (plan names, insurer names, Medicaid/Medicare ID numbers, group plan numbers), and detailed dental care information including visits, dentist names, x-rays, photos, treatment history, and medicines.

Who was impacted: 8,923,662 individuals — including children, whose data is especially sensitive. The breach notification noted that in some cases, data pertained to “a patient’s parent, guardian, or guarantor,” meaning family members were also exposed. Over 100 healthcare providers were indirectly impacted through their MCNA network relationships.

The failure point: No MFA on the initial access vector. No network segmentation preventing LockBit from propagating across the entire MCNA environment. No documented vendor risk assessment program that would have flagged MCNA’s security posture as a systemic risk across the dental provider network.

The regulatory consequence: Class action litigation filed by Keller Rohrback (Seattle, Phoenix, Portland, New York, Oakland, Santa Barbara, Missoula). HHS OCR breach report. Maine AG notification. The breach represents the largest healthcare data breach of 2023 by record count.

4. Westend Dental (Indiana, 2020/reported 2022) — $350K Settlement, Class Action, “Cover Up” Allegations

The Westend Dental ransomware attack occurred in October 2020. That’s not a typo. The practice didn’t report it to the Indiana Attorney General until October 2022 — two years later — and even then claimed fewer than 500 individuals were affected and that the incident was the result of a “formatting mistake” involving a server hard drive, not a cyberattack.

The truth emerged when a patient requested copies of their dental X-rays. The practice’s front desk told them the records no longer existed “because someone hacked into their systems.” That complaint went to the Indiana AG, who opened an investigation and discovered what had actually happened: MedusaLocker ransomware had encrypted the practice’s files. A ransom note was received. Files were lost. And the practice had said nothing to anyone.

What happened: The Indiana AG’s investigation found that Westend Dental had one set of HIPAA policies — located at one of its six locations — with no evidence of implementation at any other location. The practice had never conducted a security risk analysis that reflected its actual environment. It had no incident response plan. It had no breach notification procedure.

The settlement: $350,000 to the State of Indiana. A mandatory three-year corrective action plan requiring documented HIPAA compliance across all six locations. Annual certifications to the AG’s office.

The regulatory consequence: Indiana AG lawsuit alleging HIPAA violations, state data security law violations, and state breach notification law violations. The case illustrates that “I didn’t know” is not a defense — OCR’s risk analysis initiative is specifically designed to identify practices that have never documented their actual threat environment.

5. First Choice Dental (Wisconsin, October 2023) — 228,000 Patients, 7-Month Notification Delay

On October 22, 2023, First Choice Dental detected a ransomware attack on its computer network. An unauthorized party had gained access and encrypted some patient files. The investigation took months to complete. Notification letters weren’t sent until May 2024 — seven months after the attack was discovered.

The delay triggered scrutiny under state breach notification laws and patient trust damage. Migliaccio & Rathod, a Washington D.C.-based law firm, opened a class action investigation in July 2024.

What was exposed: Patient names, addresses, Social Security numbers, dates of birth, health insurance information, and medical information.

The failure point: No documented incident response plan that would have established a forensic investigation timeline and breach notification checklist. No pre-negotiated forensic vendor retainer. No documented procedure for determining notification scope within the required timeframe.

The lesson: Ransomware incidents require breach notification even before you know the full scope. Your IR plan needs to include a forensic vendor engagement protocol, a notification timeline checklist, and a decision tree for determining how quickly you can identify affected individuals.

6. Absolute Dental (February 2025) — 1.2 Million Patients, 50+ Locations

In February 2025, Absolute Dental — a multi-location dental group operating over 50 sites across Nevada — discovered a cybersecurity breach that exposed data on more than 1.2 million patients. This case is notable because Absolute Dental had “security measures in place” — the attack still succeeded, demonstrating that checkbox security without proper MFA enforcement, monitoring, and response procedures is insufficient.

What was exposed: Patient names, addresses, dates of birth, Social Security numbers, dental records, insurance information, and treatment data across 50+ practice locations.

The failure point: The phrase “security measures in place” without MFA on all PMS access, without EDR on all endpoints, and without continuous log monitoring is the difference between security theater and actual security. Absolute Dental’s systems were breached because a credential was compromised — likely via phishing — and that credential had access to systems that should have required a second factor.

7. Sonrisas Dental Health (January–March 2025) — BianLian Ransomware, 15,644 Records

In January 2025, Sonrisas Dental Health discovered unauthorized access to its systems. The BianLian ransomware group claimed responsibility and exfiltrated data before encrypting systems. HHS OCR breach reports confirm 15,644 individuals were affected.

This case illustrates a key pattern in 2025 ransomware: double extortion, where attackers steal data before encrypting, guaranteeing leverage for ransom payment even if the victim has viable backups.

BEC Case Study: Dental Insurance Billing Fraud — The Unreported Threat

Business email compromise targeting dental insurance reimbursements is systematic and largely unreported. Attackers compromise practice billing email accounts — typically via a phishing email that impersonates a vendor or insurance carrier — then monitor the email thread for communications about claim submissions and payment approvals.

When a claim payment is about to be issued, the attacker sends a fake “ACH update” request from a spoofed email address: “Please update our banking information for the next deposit.” The billing coordinator, processing dozens of insurance transactions daily, approves the change. Weeks later, the actual deposit never arrives. The insurer has no record of the change request.

Chord Specialty Dental Partners (fka Spark Dental Management): In September 2024, the company discovered that an employee’s email account had been compromised and accessed by an unauthorized party from August 19 to September 25, 2024 — five weeks of access before detection. The compromised email accounts contained patient names, addresses, SSNs, driver’s license numbers, bank account information, payment card information, dates of birth, medical information, and health insurance information. Notification letters didn’t go out until March 2025 — nearly six months after the breach was discovered.

The pattern for billing coordinators: No training on BEC indicators. No email forwarding/filter rules monitoring. No two-person approval for payment changes. No verification call to a known number before processing an ACH update.

The HIPAA Dimension: OCR Is Watching Your Practice Specifically

HHS Office for Civil Rights enforcement against dental practices has escalated significantly. The numbers are not abstract.

2024 was one of the busiest years on record for OCR: 22 settlements and civil monetary penalties totaling $9.94 million. The Risk Analysis Initiative launched in October 2024 has specifically targeted practices without documented security risk analyses. 11+ enforcement actions resulted from this initiative alone by early 2026.

Recent dental-specific OCR actions:

• Gums Dental Care: $70,000 CMP (October 2024) — failure to provide timely access to patient records
• Dental practice (15,000 patients): $125,000 settlement + 3-year corrective action plan (late 2024) — no documented risk analysis, no security measures
• Elite Dental Associates: $10,000 settlement — responding to negative patient reviews online by disclosing patient PHI

The 2026 Security Rule changes are coming: Mandatory multi-factor authentication, network segmentation, encryption of ePHI at rest and in transit, and 72-hour breach notification to OCR (reduced from 60 days for the initial assessment). These requirements — once finalized — carry Tier 2 and Tier 3 penalties for non-compliance.

The math is simple: A single OCR settlement for a dental practice in 2024–2025 cost $125,000–$350,000. Annual security training for an entire practice costs $150–$900. The cost of an OCR fine is 140–700x the cost of getting your team trained this year.

Why Dental Practices Get Hit: The Three Vulnerabilities

1. PMS Server Consolidation — One Credential, Every Patient Record

Dental practice management systems — Dentrix, Eaglesoft, Open Dental, Curve Dental — are cloud-connected, always-on, and accessed by every workstation in the practice. A single compromised front-desk credential gives attackers access to every patient record in the system.

This is not theoretical. The entry point in every documented dental ransomware case — PracticeMax, Westend Dental, First Choice Dental, Absolute Dental — was a person clicking a convincing email. Not a zero-day exploit. Not a sophisticated network intrusion. A person.

2. Front-Desk Staff: The Highest-Risk, Lowest-Trained Population in Your Practice

Front-desk coordinators process insurance authorizations, patient communications, and vendor updates under scheduling pressure all day. They are the exact conditions attackers exploit. 88% of healthcare workers opened phishing emails in 2024.

The phishing templates used against dental practices are specifically crafted: fake Dentrix support alerts, Delta Dental billing notifications, Cigna credentialing updates, Eaglesoft system alerts. A front-desk coordinator who has never seen a social engineering email and has no reason to question a “urgent credentialing update” from their PMS vendor is one click away from a catastrophic breach.

3. Vendor Concentration Risk — Your PMS Vendor Is Your Attack Surface

The PracticeMax breach exposed 165,000 patients across multiple dental practices that had never been directly breached. MCNA exposed 8.9 million patients through a single insurer’s network. The Change Healthcare attack disrupted dental claims processing nationwide for weeks, with many practices reporting cash flow impacts exceeding $50,000.

Every time you grant elevated access to a billing vendor, an IT contractor, or a DSO management platform, you’re expanding your attack surface — without necessarily knowing whether that vendor has MFA, monitoring, and incident response procedures in place. HIPAA §164.308(a)(1) requires a documented risk analysis that includes business associates and sub-processors. Most dental practices have never done this for their PMS vendor.

What to Do This Quarter: 4 Actions That Actually Work

1. Enable MFA on Your PMS — Tonight

Your practice management system (Dentrix, Eaglesoft, Open Dental, Curve Dental) is your highest-risk access point. Every user account that accesses your PMS should require MFA. This is now a mandatory requirement in the proposed 2026 HIPAA Security Rule, but you should implement it now — OCR’s enforcement of MFA has already begun in large provider settlements.

How: Log into your PMS admin panel. Most support MFA through Google Authenticator or similar TOTP apps. Enable it for every user account, not just admin accounts. A front-desk credential with MFA is exponentially harder to exploit than one without.

Free tool: Free MFA setup guide — SecurEveryone

2. Run a Phishing Simulation for Your Front Desk — This Month

The Westend Dental, PracticeMax, and First Choice Dental breaches all started with a person clicking a phishing email. Your front desk is the highest-risk population in your practice and almost certainly the least-trained.

A phishing simulation sends a fake phishing email to your team and measures who clicks and who reports. It’s the fastest way to identify your actual exposure — not your theoretical one. The results are usually alarming enough to create genuine urgency for training.

Free tool: Phishing Analyzer — SecurEveryone

3. Build a Written Incident Response Plan Before You Need One

When ransomware hits, you have 60 days to notify patients and 72 hours (under proposed 2026 rules) to assess and report to OCR. The decisions you make in the first 30 minutes determine whether you recover in days or weeks. Do you shut down the PMS? How do you handle patients scheduled that day? What do you tell your billing vendor?

Your IR plan needs to cover: ransomware triage (isolate PMS vs. clinical continuity), patient communication protocol when records are inaccessible, HIPAA OCR notification timeline (60-day window), state dental board and state breach notification law obligations, cyber insurance claim initiation, and forensic vendor engagement.

Free tool: Free Ransomware Response Playbook — SecurEveryone; Free IR Plan Template — SecurEveryone

4. Audit Your Vendor Access — This Quarter

Your PMS vendor, your billing clearinghouse, your IT contractor — do you have BAAs with all of them? Have you asked them about MFA on their systems? Do you know what happens to your patient data if they get breached?

HIPAA requires you to assess the risk that your business associates introduce. Most dental practices have never done this for their PMS provider. The PracticeMax breach is the direct consequence of that gap.

Questions to ask every vendor: Do you enforce MFA on access to our data? What is your incident response procedure? Do you have a current SOC 2 or security certification? Can I see your BAA?

The Bottom Line

Every incident in this post — from a 6-location Indiana practice to a 50-location Nevada DSO — started with a phishing email your front desk could have flagged. The threat is not theoretical. The HIPAA enforcement is not theoretical. The financial consequence — $125,000 to $350,000 in settlements, millions in recovery costs, months of operational disruption — is real and documented.

The dental sector is not exempt from cybersecurity threats. It is disproportionately targeted because it has dense PHI, aging IT infrastructure, and minimal training — exactly the conditions that make attackers successful.

Start with one action this week: enable MFA on your PMS. Then run a phishing simulation. Then download the free Ransomware Response Playbook and review it with your team. Then audit your vendor access.

These four steps will materially reduce your risk. They cost $0. The alternative — a breach notification letter to 228,000 patients, an OCR investigation, and a class action lawsuit — does not.

Sources: FBI IC3 2024 Annual Report; IBM/Ponemon Cost of a Data Breach 2025; HHS Office for Civil Rights breach portal; HHS Resolution Agreements (hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements); Indiana AG v. Westend Dental complaint (December 23, 2024); PracticeMax Notice of Data Breach (CA AG filing, June 2022); Turke & Strauss PracticeMax class action (2022); CalHIPAA Fast Track Urgent Care 258K report; TAdviser Henry Schein cyberattack; Infosec Defence Henry Schein breach confirmation; HIPAA Journal MCNA Dental 8.9M; Bleeping Computer MCNA; TechCrunch MCNA; The Record MCNA; Keller Rohrback MCNA class action; DrBicuspid First Choice Dental 228K; Paubox dental breaches; Group Dentistry Now dental practice breach; Payment Security Report Westend Dental; Workplace Privacy Report Westend settlement; Industrial Cyber healthcare ransomware 2025; Huntress FBI ADA alert May 2024; ADA Change Healthcare advisory; HHS Change Healthcare FAQ; Siotek dental 2026 threat landscape; Delta Dental cybersecurity guidance; Adit cybersecurity dental practices; HIPAA Journal HIPAA fines 2026; Shook Hardy Bacon OCR enforcement 2024-2025; Censinet HIPAA enforcement cases; Hunton HIPAA settlement PIH Health 2025; Patient Protect HIPAA violations dental practices.

Ready to protect your dental practice?

Every incident in this post started with a phishing email your front desk could have flagged. Don’t wait for the next OCR enforcement action or ransomware notice to find out where your gaps are.

$150 — Personal Session

Book Executive Session →

$900 — Business (Unlimited Users)

Download the Free Ransomware Response Playbook → · Download the Free IR Plan Template → · See all dental practice training →