...

Ekim IT Solutions

Schedule a Fit Call
Blog / Can Your Dental Software Vendors Get Your Practice Hacked
All Dental

Can Your Dental Software Vendors Get Your Practice Hacked

Featured header graphic for a guide on dental vendor cybersecurity risk, showing two hands shaking with a large red 'HACKED' stamp overlay, symbolizing third-party data breaches.

Your practice could be doing everything right and still get breached through a vendor with weak security.

Attackers can use a trusted vendor as a door into your systems. This is called a third-party or supply chain attack. It is one of the fastest-growing categories of cybersecurity risk in healthcare, and dental practices are directly in the line of fire.

88M patient records
exposed in 2023

In 2023, nearly 88 million patient records were exposed through vendor and business associate breaches.

That is data that was breached not by attacking practices directly, but by attacking the companies those practices trusted. The practice did nothing wrong. The vendor was the vulnerability.

How a Vendor Breach Reaches Your Practice

Your practice management software, imaging software, billing platform, and IT provider all have some level of access to your systems or your patient data. They need that access to do their job. But that access also means that if they are compromised, the attacker can reach you through them.

An attacker targets a vendor that serves hundreds of dental practices. Rather than attacking each practice individually, they compromise the vendor once and gain access to all the practices connected to that vendor. One attack, hundreds of victims.

2025 Real-World Case

Absolute Dental: 1.2 million patients across 50+ locations

Hackers did not attack Absolute Dental directly. They attacked the practice’s managed services provider first, then used that foothold to access Absolute Dental’s systems. The result was a breach affecting over 1.2 million patients across more than 50 locations. The practice did nothing wrong. Their IT vendor was the entry point.

Change Healthcare: The Largest Example

In February 2024, Change Healthcare, the clearinghouse that processes roughly 40 percent of all dental and medical insurance claims in the United States, suffered a ransomware attack. The attacker gained access through a remote login portal that had no multi-factor authentication.

Dental practices across the country could not process insurance claims for weeks. Many reported significant cash flow disruptions while the systems were down.

192.7M

patient records affected by the breach

$872M+

cost to the parent company

$50K+

cash flow disruption reported by many affected practices

Dental practices did nothing wrong. Their vendor was the vulnerability.

Highest Exposure Vendors

Three vendors that can expose your practice

1

Your IT provider

Remote access to every computer in your office. A compromised IT provider credential gives an attacker the same access your IT team has: every workstation, every server, every file. This is exactly how the Absolute Dental breach occurred.

2

Your practice management software vendor

Patient records live in or pass through their systems. Your PMS vendor has a database connection to your most sensitive patient data: demographics, health history, social security numbers, and treatment records.

3

Your insurance clearinghouse

Billing data and patient identifiers flow through their platform. Every insurance claim your practice submits includes protected health information. Change Healthcare processed 40 percent of all US dental claims when it was breached in 2024.

What HIPAA Requires of Your Vendors

Under HIPAA, any vendor who handles your patient data is considered a business associate. You are required to have a signed business associate agreement, or BAA, with every one of them. The BAA obligates the vendor to protect patient data and to notify you of any breach within 60 days.

Important Distinction

A BAA is a legal document, not a security guarantee

A vendor can sign a BAA and still have weak passwords, no multi-factor authentication, and outdated software. The agreement transfers some legal responsibility but it does not protect your patients. HIPAA also requires you to assess the security practices of your business associates as part of your own risk analysis. Most dental practices never do this.

How to Evaluate Vendor Security

Four actions every dental practice should take to reduce vendor-related exposure. Check each one your practice has completed.

Actions completed 0 / 4

Your practice has addressed the key vendor security areas.

All four actions completed. Review your vendor list annually as new integrations and services are added. A BAA signed two years ago may cover a vendor whose access scope has since expanded.

Gaps remain that create real exposure.

The unchecked items are exactly where vendor breaches enter. A vendor with no BAA, unconstrained access, or evasive answers on security is a liability your practice is contractually and legally responsible for under HIPAA.

Your practice has significant vendor security gaps.

Missing BAAs, unchecked vendor access, and no breach response plan are exactly the conditions that turn a vendor’s problem into your practice’s HIPAA violation. These gaps do not require a breach to create liability: OCR can find them in a routine audit.

Talk to Ekim about vendor security →

Frequently Asked Questions

Yes. If patient data entrusted to a business associate is exposed, you as the covered entity are still responsible for notifying affected patients. The vendor shares liability, but you cannot simply point to the vendor and walk away from your obligations.
Your IT provider should be able to give you a complete list of all third-party access points to your systems and data. If you do not have this list, that is itself a compliance gap that needs to be addressed.
Major practice management platforms have their own security measures, but no software is immune. Dentrix Ascend, for example, is SOC 2 Type II certified, which provides third-party verification of security controls. Cloud-based platforms generally handle infrastructure security while your practice remains responsible for endpoint security, staff training, and access controls.
A BAA is a legal agreement that outlines each party's obligations under HIPAA. A cybersecurity audit is an independent review of a vendor's actual security practices. One is paperwork. The other is proof. Both matter, and many practices only have one.
Do you know what level of access your dental software vendors have to your systems?

Ekim IT Solutions works exclusively with dental practices. We serve New England and New York with on-site support and dental practices nationwide with remote support. We review your vendor access controls, remote support permissions, and BAA documentation so a third-party breach does not become your practice's problem.

Your vendors can be a backdoor into your practice. Find out if that door is properly locked.
Review your vendor access risks →

Related Posts

Branded featured image for the blog post "What Is Endpoint Detection and Response for Dentists" with illustrated security shield and magnifying glass imagery
All Dental

What Is Endpoint Detection and Response for Dentists

Featured image for the network segmentation explainer blog post showing a dental office building with separated Wi-Fi and clinical network icons on a dark background representing a guide to what network segmentation is and why HIPAA requires it for dental practices
All Dental

What Is Network Segmentation for Dental Practices

Featured image for the DSO practice management software selection guide showing dental software platform icons with a decision arrow on a dark background representing a guide to choosing the right practice management software for a multi-location dental group or dental service organization
All Dental

How to Choose Practice Management Software for a DSO