The Threat Environment Has Changed — And Dental Practices Are a Target

There is a common assumption in small healthcare practices: "We are too small to be a target." That assumption is wrong, and it is expensive when tested. Dental practices hold exactly the kind of data that criminal organizations value most — Social Security numbers, dates of birth, insurance identifiers, and medical history — often protected by less security than a consumer's bank account.

The HHS Office for Civil Rights breach portal, which tracks incidents affecting 500 or more patients, consistently shows hundreds of reported breaches per year in the dental and healthcare sector. Many more small-practice incidents never make the national news. In 2026, the question for a dental practice is not whether you are a target, but whether you are a harder target than the practice down the street. Criminal groups largely use automated tools that find and exploit the easiest victims first.

This guide covers the specific threats that are reaching dental offices right now, what each one looks like from the front desk, and what a realistic defense looks like without requiring you to become an IT expert.

Ransomware: The Threat That Shuts Practices Down

What Ransomware Does

Ransomware is malicious software that encrypts — scrambles and locks — every file it can reach on your network. Patient records, X-rays, appointment schedules, billing data: all become unreadable. The attackers then demand payment, typically in cryptocurrency, for the decryption key. For a dental practice, a successful ransomware attack means no access to patient charts, no imaging, no billing — effectively zero clinical operations until resolved.

Recovery without a clean backup typically takes days to weeks and costs tens of thousands of dollars in IT remediation, even before any ransom payment. With a clean, tested backup, recovery can take hours to a day. The backup strategy is the single most important factor in how badly ransomware hurts you.

The Change Healthcare Effect

In February 2024, Change Healthcare — a clearinghouse that processes roughly 40% of all medical and dental insurance claims in the United States — suffered a catastrophic ransomware attack. The attacker gained access through a remote login portal that was not protected by multi-factor authentication (MFA — a second verification step beyond a password). The attack disrupted claims processing for dental offices across the country for weeks. Many practices reported cash flow disruptions of $50,000 or more while claims backed up.

The Change Healthcare incident demonstrated that ransomware risk is not limited to your own network. A vendor you depend on can be compromised, and the downstream effects can be severe. This is why vetting the security practices of your key vendors — your practice management software provider, your clearinghouse, your cloud services — is part of your own risk management.

How Ransomware Gets In

The most common entry points for ransomware in dental practices are: phishing emails that trick an employee into opening a malicious attachment or link, remote desktop connections left open to the internet without MFA, and outdated software with known security vulnerabilities. All three of these are preventable with basic controls.

Realistic Defenses

The defense against ransomware is layered, not a single product. The core elements are: endpoint detection and response (EDR) software on every computer — this is more sophisticated than traditional antivirus and can detect ransomware behavior before it finishes encrypting — tested offsite backups that cannot be reached by ransomware running on your network, MFA on every remote access point and cloud service, and current software patching. EDR tools like Huntress are specifically built to catch the behavioral patterns of ransomware that traditional antivirus misses.

Important: "Backup" does not mean a USB drive sitting next to your server. Ransomware routinely encrypts connected external drives and mapped network shares. An effective backup requires an offsite or cloud copy that is isolated from your production network and cannot be reached by ransomware.
The takeaway: Ransomware is the highest-impact threat for most dental practices. A tested offsite backup and EDR software are the two controls that most meaningfully reduce your exposure.

Business Email Compromise: The Threat That Empties Bank Accounts

What It Looks Like

Business email compromise (BEC) does not involve any malware or technical hacking of your systems. It is fraud conducted entirely through email. A criminal sends your office manager an email that appears to come from a trusted source — your dental supply vendor, your IT provider, your accountant, or even the practice owner — and requests an urgent wire transfer, a change to a payment account number, or the purchase of gift cards.

The emails look legitimate because they often are sent from compromised accounts, or from look-alike domains that are one character off from the real vendor's domain. A busy front-desk person handling a stack of tasks on a Monday morning may not notice that the email from "Henry Schein" came from a domain ending in .net instead of .com.

Why Dental Offices Are Targeted

Office managers in dental practices regularly handle vendor payments, payroll, and banking. They are accustomed to receiving invoices and payment requests by email. BEC criminals study a practice's payment patterns — sometimes by compromising email accounts first and reading months of correspondence — before sending a perfectly timed fake invoice. The average BEC loss per incident in healthcare is over $125,000, and most of it is unrecoverable once the wire clears.

Common Scenarios

  • Fake vendor invoice: An email that looks like your supply company sends an updated invoice with new bank account details. The payment goes to the criminal's account.
  • CEO/doctor impersonation: An email appearing to be from the practice owner asks the office manager to urgently wire money or buy gift cards, often with a reason why they cannot be called.
  • Payroll redirect: An "employee" emails HR asking to update their direct deposit account. The next payroll deposit goes to the criminal.
  • Compromised vendor account: A legitimate vendor's email account is hacked, and the criminal uses their real email address to send fraudulent payment requests to all their customers, including your office.

Realistic Defenses

Email security filtering — specifically tools that analyze inbound emails for spoofed domains and known malicious senders — catches a large portion of BEC attempts before they reach the inbox. Proofpoint email security, for example, applies behavioral analysis and domain reputation checks that flag suspicious messages. But technology is only part of the defense: a simple verbal verification policy stops most BEC cold. Any request to change a payment account or transfer money above a set threshold ($500 is a common floor) requires a phone call to a known number to verify — not a reply to the email, not a new number provided in the email, but a number already on file.

The takeaway: Business email compromise is a people problem solved partly by technology and partly by a one-rule policy: verify any new payment instruction by phone before sending money.

Phishing and Credential Theft

What Happens When Credentials Are Stolen

Phishing is a broader category that includes BEC, but the most common version in dental practices targets login credentials. An employee receives an email claiming to be from Microsoft 365, their email provider, or their practice management software, saying their account is about to be locked and they must log in immediately. The link goes to a convincing fake login page that captures their username and password.

Once an attacker has valid credentials for a staff email account, they can read every email — including those that contain patient data, billing information, and banking details. They can reset passwords for connected services. They can impersonate the employee in outbound emails. And they often stay quiet for weeks before acting, studying the account to maximize the damage.

Password Reuse Against Dental Software Portals

Criminals maintain large databases of previously leaked usernames and passwords from data breaches at unrelated websites. They systematically try these credentials against dental software portals, insurance company logins, and Microsoft 365 accounts. If your front-desk employee used the same password for their Netflix account and your Dentrix practice portal, and Netflix was ever breached, that credential pair is likely in a criminal database right now. This attack is called credential stuffing, and it is automated and relentless.

Realistic Defenses

Multi-factor authentication (MFA) is the single most effective control against credential theft. When MFA is enabled, stealing a password is not enough — the attacker also needs the second factor, usually a code from an authentication app on the employee's phone. Microsoft reports that MFA blocks over 99% of automated credential-stuffing attacks. A password manager helps staff use unique, complex passwords for every service without needing to remember them. Email security filtering blocks many phishing attempts before they reach the inbox. Enabling MFA on Microsoft 365, your remote access tools, and your dental PM software portal is a one-time configuration that dramatically reduces your exposure.

Supply-Chain Attacks: When Your IT Provider Is the Target

The Kaseya Pattern

In 2021, attackers compromised Kaseya VSA, a remote management platform used by managed IT providers to maintain their clients' computers. By attacking the software that IT providers use, criminals were able to push ransomware to hundreds of businesses through a single point of compromise — their own IT vendor. Dental practices among those clients suddenly had ransomware deployed by the very tool meant to protect them.

The pattern — targeting MSPs (managed service providers) to reach their downstream dental and medical clients — has not gone away. It is an efficient attack: compromise one IT firm and you potentially reach hundreds of practices simultaneously.

What This Means for Your Practice

You cannot fully control the security of your IT vendor's internal systems, but you can ask questions that help you assess their maturity: Do they run their own endpoint detection on their management infrastructure? Do they use MFA internally? What is their incident response plan? Have they ever disclosed a security incident to clients? A good IT partner will answer these questions without hesitation. A vague answer or an offended reaction is a warning sign.

Equally important: your own backup strategy should be independent of your IT provider. If your backups live only on infrastructure managed by your IT provider, a supply-chain attack that compromises that provider could reach your backups too. Truly independent offsite backups — on infrastructure your IT provider does not control — provide a meaningful layer of protection against supply-chain scenarios.

The takeaway: Your security is partly a function of your vendors' security. Vet your IT provider's security practices, and maintain backup independence.

Social Engineering Against Front-Desk Staff

Phone-Based Manipulation

Not every attack comes through a computer. Social engineering is the practice of manipulating people into giving up information or access. A caller claiming to be from your software vendor's tech support asks your front-desk employee to read them a verification code that just appeared on screen. That code is an MFA prompt that an attacker triggered — and handing it over gives them access to your account.

Callers pretending to be from Microsoft, your IT company, or even your dental insurance carrier may ask employees to install software, provide login credentials, or disable security settings. No legitimate IT provider or software vendor will ever call you unsolicited and ask for your password or a verification code.

Why Front-Desk Staff Are Targeted

Front-desk employees are helpful by profession. They are accustomed to solving problems quickly, resolving patient issues, and being cooperative. Criminals exploit those instincts. A call framed as urgent technical support that could disrupt patient appointments is designed to trigger action before reflection. Training staff to pause, verify identity through an official callback number, and check with the office manager before granting any remote access is a straightforward defense.

Realistic Defenses

Annual security awareness training that includes social engineering scenarios — taught through realistic examples, not abstract rules — measurably reduces susceptibility. Role-playing exercises where staff practice saying "I need to call you back at the number on your website" build the reflex. A culture where employees feel safe saying "I need to verify this first" without fear of being seen as obstructive is one of the most valuable security assets a dental practice can have.

Putting It All Together: A Layered Defense

No single product or policy stops all threats. The goal of a dental practice cybersecurity program is to make attacks harder, slower, and more likely to be detected — so that the attacker moves to an easier target, or so that your team catches the intrusion before it causes full damage. The layers reinforce each other.

  • EDR on every endpoint (Huntress or equivalent) — catches malware that bypasses traditional antivirus
  • Email security filtering (Proofpoint or equivalent) — blocks phishing, BEC attempts, and malicious attachments before they reach inboxes
  • MFA on all remote access and cloud services — stops credential theft from becoming account takeover
  • Annual employee security training — the human layer; reduces phishing clicks and social engineering success
  • Tested offsite backups — the recovery layer; determines whether ransomware is a disaster or an inconvenience
  • Patch management — keeping Windows, dental software, and imaging software current closes known vulnerabilities
  • Incident response plan — written, practiced, and accessible so that when something happens, the first 30 minutes do not cost you the next 30 days
Important: Cyber insurance is a risk transfer tool, not a defense. It can help cover costs after an incident but does not prevent one. Insurers are also increasingly requiring documented security controls — MFA, EDR, backup verification — as a condition of coverage. Practices that cannot demonstrate these controls may find claims denied.