Garrisonville Dental reports breach by third-party vendor

Garrisonville Dental L.L.C., a dental practice in Stafford, Virginia, reported a data breach affecting 5,204 people after a third-party vendor notified the practice on March 19 of a cybersecurity incident involving vendor email accounts and files.

What happened

According to the practice’s notice, the unauthorized access, and involved limited patient information maintained in email accounts and vendor files. The information that may have been accessed included identifying details, medical and health insurance information, and Social Security numbers.

The incident was reported to the U.S. Department of Health and Human Services Office for Civil Rights on May 15, 2026, where it is listed as a hacking/IT incident involving email, with a business associate present. Garrisonville Dental said it has no evidence that the affected information has been misused.

What was said

According to the Notice of Security Incident, “Our dental practice was notified on March 19, 2026 by a vendor that from October 15-23, 2025 a cyber incident occurred,and some limited patient information of our patients was accessed. Access was limited to information in a few email accounts and vendor files. There is no current evidence of any actual misuse of personal information.”

Why it matters

In the Garrisonville Dental incident, the affected data was not described as coming from the practice’s electronic dental record system, but from vendor email accounts and files that contained patient information. The pattern is consistent with other healthcare breach reports, like in a similar case, Los Angeles County Department of Mental Health had a phishing attack in which an employee’s disclosed credentials allowed unauthorized access to an email account containing PHI.

Email can become a weak point in healthcare security as patient names, insurance details, medical information, attachments, and referral communications often pass through inboxes as part of routine operations. A study on human factors in cybersecurity breaches of electronic health records supports this concern, finding that a “vast majority of health records were compromised due to poor human security.” Even when core clinical systems remain untouched, a compromised vendor or employee account can still expose protected health information (PHI) through email accounts.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

FAQs

What is a hacking/IT incident under HIPAA?

A hacking/IT incident is a broad breach category used in HHS OCR reporting when a cybersecurity event may have exposed PHI.

Does a hacking/IT incident automatically mean patient data was misused?

No. A hacking incident means there was unauthorized access or potential exposure of protected health information.

Who is responsible when a vendor causes or discovers the breach?

The vendor may have direct HIPAA responsibilities if it is a business associate, but the covered entity still has notification and oversight responsibilities.