What Happens to a Dental Practice After a Cyberattack

• Ezra Angelo
• • August 8, 2025
Share:

The attack itself is not the worst part. For most dental practices, the worst part is everything that comes after.

When a cyberattack hits a dental office, the immediate disruption gets most of the attention. But the consequences stretch out for weeks, months, and sometimes years. Understanding what the aftermath actually looks like helps practices make better decisions before an attack ever happens.

The First 72 Hours

The moment a ransomware attack or breach is detected, the practice faces a cascade of immediate decisions. Systems may be locked. Patient records may be inaccessible. Scheduling software may be down. Clinical staff cannot see who is coming in or what procedures are planned.

Downtime for dental practices runs an estimated $5,000 to $25,000 per day in lost revenue and recovery costs. Restoration from a ransomware attack takes an average of 19 days. That is nearly three weeks of disrupted or halted operations.

The first decisions matter enormously. Who investigates? Do you pay the ransom? Who do you call? Practices without an incident response plan waste critical hours figuring out their next step while the situation worsens.

The Legal Clock Starts Immediately

HIPAA requires breach notification within 60 days of discovering a breach that affects patient data. That clock starts the moment you become aware of the incident, not when you finish investigating it.

If more than 500 patients in a state are affected, you must also notify the media. If more than 500 patients total are affected, the breach appears on the HHS Breach Portal, which is publicly searchable. Your practice name, the number of patients affected, and the nature of the breach all become public record.

Westend Dental in Indiana learned this the hard way. The practice paid a $350,000 settlement after regulators found it had delayed notifying patients of a ransomware attack. The fine was not for the attack. It was for the delayed response.

The Patient Notification Process

Every affected patient must receive a written notification that explains what happened, what information was involved, what the practice is doing about it, and what the patient can do to protect themselves. This notification typically includes an offer of free credit monitoring.

For a breach affecting thousands of patients, the cost of notification letters, postage, call center setup, and credit monitoring services can run tens of thousands of dollars. Chord Specialty Dental Partners notified roughly 173,000 patients after their 2025 email breach. Absolute Dental notified over 1.2 million.

The OCR Investigation

The HHS Office for Civil Rights investigates breaches affecting 500 or more patients. During an investigation, OCR reviews your security practices, your risk assessment history, your staff training records, your business associate agreements, and your incident response documentation.

If OCR finds gaps, it can impose fines ranging from $145 per violation for unknowing violations up to $2,190,294 per violation for willful neglect. Multiple findings can compound quickly. It is not uncommon for an investigation to uncover multiple separate violations, each carrying its own penalty.

Class Action Lawsuits

Data breach class action lawsuits against dental practices have become more common. Patients whose information was exposed can join a class action and seek damages. Law firms routinely monitor HHS breach notifications specifically to identify new class action opportunities.

After the Absolute Dental breach in 2025, multiple law firms announced investigations into the incident within weeks of the breach notification going out. The practice was dealing with regulatory scrutiny and legal exposure simultaneously.

Reputational Damage

Patient trust is hard to rebuild after a breach. Your practice name on the HHS Breach Portal is permanent and publicly searchable. Patients searching your practice name will find it. Reviews mentioning the breach will appear. Referrals from other providers may slow.

The reputational harm is difficult to quantify but real. For single-provider practices especially, where patient relationships are the foundation of the business, a public breach can cause patient attrition that outlasts every other consequence.

Frequently Asked Questions

Do I have to pay the ransom to get my data back?

Not necessarily. If you have clean, tested, offsite backups, you can restore your systems without paying. Practices that pay the ransom recover all their data only about 2% of the time. Paying also does not guarantee the attackers will not publish or sell the data they already copied.

Will cyber insurance cover everything?

Cyber insurance helps but rarely covers everything. Policies have limits, exclusions, and deductibles. Coverage typically includes forensic investigation, some legal costs, and notification expenses. It does not always cover HIPAA fines, long-term reputational damage, or full revenue losses during downtime.

What if the breach came from a vendor, not our own systems?

You are still responsible under HIPAA. If a business associate such as your IT provider, billing company, or software vendor is breached and patient data is exposed, you must still notify patients and may still face OCR scrutiny. This is why business associate agreements and vendor vetting matter.

How long does recovery actually take?

The average ransomware recovery for a healthcare organization takes 19 days. Full recovery, including legal resolution, OCR investigation closure, and reputation rebuilding, can take one to two years.

Is your dental practice protected?

Ekim IT Solutions works exclusively with dental practices. We serve New England and New York with on-site support and dental practices nationwide with remote support. Security, compliance, and everything in between so you can focus on patients.

Schedule a Fit Call: Find out in 15 minutes if we are the right fit for your practice.

• Ezra Angelo
• • August 8, 2025
Share: