Real-world dental breaches that prove no practice is too small

Research in the International Journal of Healthcare Management describes an era when small healthcare providers "genuinely believed that their business was unlikely to be targeted by hackers because it was small," as the “Period of Innocence.”  

The researchers note that more than 60% of physicians practice in what's considered a small business. Hackers figured this out a long time ago. They know that while a major hospital system has a dedicated security operations center with round-the-clock monitoring, a dental office usually has an office manager who's also handling scheduling, billing, insurance claims, and somehow IT troubleshooting too.

This makes them an easier target because dental records are packed with Social Security numbers, insurance IDs, and detailed medical histories, exactly what they're after.

The MCNA data breach

In 2023, MCNA Dental got hit with what turned out to be the largest healthcare data breach of the entire year. MCNA is the largest dental insurer in the US for government-sponsored Medicaid and CHIP programs. Over 5 million members, covering eight states.

The attackers were the LockBit ransomware gang. When MCNA refused to pay the $10 million ransom, the hackers followed through on their threat. They uploaded 700GB of stolen data onto the dark web.

• Names 
• Addresses
• Dates of birth
• Phone numbers 
• Social Security numbers
• Driver's licenses
• Government IDs
• Insurance details
• Treatment records
• Claims information
• Children's dental X-rays

LockBit runs a "Ransomware-as-a-Service" operation. They have customer support. Negotiators. A business model. When you get targeted, you're up against a criminal organization with infrastructure and profit margins to protect.

This case shows how organized ransomware groups target healthcare because of the high value of medical records. The FBI’s 2023 Internet Crime Report notes that healthcare was the most targeted critical infrastructure sector for ransomware, proving why even dental insurers face industrial‑scale attacks.

2. The Absolute Dental data breach

In February 2025, Absolute Dental discovered a breach that exposed data on more than 1.2 million people in over 50 locations across Nevada, even though they had security measures in place.

The hackers didn't break through Absolute Dental's defenses directly. They went after the company's managed services provider, an external IT vendor. According to the breach notice, the attackers executed "a malicious version of a legitimate software tool through an account associated with its managed services provider."

They compromised the IT company first, then used that access to move into Absolute Dental's systems.

The following data was exposed:

• Names
• Contact info
• Birthdates
• Social Security numbers
• Driver's licenses
• Passports
• Health histories
• Diagnoses
• Treatment records
• Insurance information
• Financial accounts and payment card data

Under HIPAA, your business associates must sign agreements promising to protect patient data. But if your IT vendor gets hacked, you get breached, and you face the consequences.

Go deeper: Absolute Dental breach exposes data of over 1.2 million patients

3. The First Choice Dental data breach

In October 2023, First Choice Dental in Wisconsin couldn’t access its systems. Initially, they believed the breach affected around 1,000 people. As forensic teams dug deeper, that number grew to more than 159,000 patients.

The hackers accessed names, birthdates, Social Security numbers, health records, and financial data. A class action lawsuit was filed, alleging the practice failed to implement adequate data protection measures.

While denying liability, First Choice Dental agreed to a settlement valued at up to $1.225 million to resolve the claims. The company also had to deploy endpoint detection and response tools, implement immutable off-site backups, patch its systems, reset administrative accounts, enforce stronger password policies, and temporarily disable remote access while rebuilding security infrastructure.

Learn more: First Choice Dental to pay up to $1.2M in ransomware settlement

4. The Chord Specialty Dental Partners data breach

In September 2024, Chord Specialty Dental Partners (formerly Spark Dental Management) noticed suspicious activity in an employee's email account. The Tennessee-based organization supports over 60 dental practices across multiple states.

An investigation revealed that an unauthorized third party had been quietly accessing several employee email accounts for more than five weeks, from August 19 to September 25, 2024. The affected email accounts contained patient names, addresses, Social Security numbers, driver's license numbers, bank account information, payment card information, dates of birth, medical information, and health insurance information. Because email accounts are unstructured, with many attachments sitting in the Sent folder, it took months to determine exactly who was affected. Notification letters didn't go out until March 2025, nearly six months after the breach was discovered. Multiple law firms have since announced investigations into the incident.

If a hacker cracks an email password, they own every conversation, every attachment, every piece of patient information that's ever passed through that account. And they can sit there for weeks, reading and copying, before anyone notices.

Read more: Chord Specialty Dental Partners reports breach affecting over 170k individuals

Why is email still the number one target of cybercriminals?

5. The New Vision Dental data breach 

In December 2022, New Vision Dental in California settled with the Office for Civil Rights for $23,000 for responding to negative Yelp reviews.

Patients left bad reviews. The practice pushed back. In their responses, they used patients' full names—even when those patients had only used Yelp usernames. They shared details about visits, treatment plans, and insurance to prove that the reviewers were being unfair.

The OCR investigation concluded that New Vision Dental "impermissibly disclosed PHI on its Yelp business page." Beyond the money, the practice had to develop written HIPAA policies, train all staff, and scrub any social media posts containing patient information (PHI).

"This latest enforcement action demonstrates the importance of following the law even when you are using social media," said OCR Director Melanie Fontes Rainer. "Providers cannot disclose protected health information of their patients when responding to negative online reviews. This is a clear NO."

A breach doesn't have to involve a hacker. If your response includes anything identifying, a name, a treatment, an appointment date, or insurance details, you've just violated federal law.

The research about HIPAA compliance challenges for small healthcare providers documents a case where a practice owner had their car stolen. In the back seat were physical patient charts and a laptop. The labels on the charts included patient names and Social Security numbers. Not knowing exactly how many records were compromised, the practice had to notify all of its patients about the incident and offer credit monitoring.

According to the research, 68% of all healthcare data breaches since 2010 resulted from device theft or loss. A Ponemon Institute study found that the average economic consequence per lost laptop is $49,246, and that's not the cost of replacing the hardware. It's the cost of the breach, the notification, the monitoring, and the reputational damage. If the laptop is encrypted, you're protected by HIPAA's "Safe Harbor" provision. You lost the hardware, but you didn't lose the data. If the laptop is unencrypted, every patient record on the hard drive is considered breached.

The common thread

When you examine these cases, from Chord Specialty's email compromise to the phishing attacks that deliver ransomware, you notice that vulnerability is usually in communication. Hackers don't typically breach firewalls anymore. They hack people. They send a fake invoice to your front desk. They guess a weak password on an email account. They exploit the fact that dental offices are busy, understaffed, and trusting.

According to research published in Current Opinion in Psychology, "providers maintain less control over the third-party systems that send and maintain email, which affects their ability to ensure confidentiality." Email is often the entry point. It's where phishing starts. It's where credentials get stolen. It's where PHI sits in unstructured folders for years.

The TDIC Risk Management analysts state, "Sharing patient information through unencrypted e-mail or messaging services can lead to privacy violations. Implementing secure communication methods is crucial to avoid such breaches."

The solution

The problem with most security tools is that they add friction. If you force your staff to log into three different portals just to send a referral, they'll eventually find a workaround. They'll use personal Gmail. They'll text a photo of records, and that's when breaches happen.

Paubox Email Suite is designed for the way dental practices actually work. It integrates directly with Google Workspace and Microsoft 365. When you send an email, Paubox encrypts it automatically in the background.

• No portals. Recipients read your emails directly in their inbox.
• No passwords. Patients don't need to remember another login.
• No extra clicks. Your staff sends email exactly as they always have.

Paubox handles the HIPAA compliance. Every outbound message is encrypted and secured in transit using TLS 1.2 or higher. If a recipient's mail server doesn't support modern encryption, Paubox automatically delivers a secure link instead.

FAQs

What is a business associate agreement?

A business associate agreement (BAA) is a contract required under HIPAA between a covered entity and any vendor that handles protected health information on its behalf. This includes IT providers, billing services, and cloud storage companies. 

What should I do if my practice experiences a breach?

Under the HIPAA Breach Notification Rule, you must notify affected individuals and the Secretary of HHS within 60 days of discovering the breach. If the breach affects more than 500 residents of a state, you must also notify prominent media outlets in that state. Document everything, engage cybersecurity experts for forensic investigation, and consult legal counsel immediately.

How does encryption protect my practice under HIPAA's Safe Harbor provision?

If PHI is encrypted according to NIST standards and a device is lost or stolen, the incident may not qualify as a "breach" requiring notification. This is because encrypted data is considered unusable without the decryption key. However, the encryption must meet specific technical standards, and the key must not be stored with the device.