Can Your Dental Software Vendors Get Your Practice Hacked

• Ezra Angelo
• • October 21, 2025
Share:

Your practice could be doing everything right and still get breached. If one of your vendors has weak security, attackers can use that vendor as a door into your systems.

This is called a third-party or supply chain attack. It is one of the fastest-growing categories of cybersecurity risk in healthcare, and dental practices are directly in the line of fire.

How a Vendor Breach Reaches Your Practice

Your practice management software, imaging software, billing platform, and IT provider all have some level of access to your systems or your patient data. They need that access to do their job. But that access also means that if they are compromised, the attacker can reach you through them.

The mechanics work like this. An attacker targets a vendor that serves hundreds of dental practices. Rather than attacking each practice individually, they compromise the vendor once and gain access to all the practices connected to that vendor. One attack, hundreds of victims.

This is exactly what happened with Absolute Dental in 2025. Hackers did not attack Absolute Dental directly. They attacked the practice’s managed services provider first, then used that foothold to access Absolute Dental’s systems. The result was a breach affecting over 1.2 million patients across more than 50 locations.

Change Healthcare: The Largest Example

In February 2024, Change Healthcare, the clearinghouse that processes roughly 40 percent of all dental and medical insurance claims in the United States, suffered a ransomware attack. The attacker gained access through a remote login portal that had no multi-factor authentication.

Dental practices across the country could not process insurance claims for weeks. Many reported cash flow disruptions of $50,000 or more while the systems were down. The breach affected 192.7 million patient records. The cost to the parent company exceeded $872 million.

Dental practices did nothing wrong. Their vendor was the vulnerability.

What HIPAA Requires of Your Vendors

Under HIPAA, any vendor who handles your patient data is considered a business associate. You are required to have a signed business associate agreement, or BAA, with every one of them. The BAA obligates the vendor to protect patient data and to notify you of any breach within 60 days.

But here is the problem. A BAA is a legal document, not a security guarantee. A vendor can sign a BAA and still have weak passwords, no multi-factor authentication, and outdated software. The agreement transfers some legal responsibility but it does not protect your patients.

HIPAA also requires you to assess the security practices of your business associates as part of your own risk analysis. Most dental practices never do this.

How to Evaluate Vendor Security

Ask About Their Security Practices

Before signing with any software vendor or IT provider, ask them directly: Do you require multi-factor authentication for all remote access? Do you carry cyber liability insurance? Have you ever experienced a breach? How do you notify clients if you are compromised?

A vendor who cannot answer these questions clearly or who is evasive is a risk.

Confirm Your BAAs Are Current

Check that you have signed BAAs with every vendor who touches patient data. This includes your practice management software company, imaging software company, billing and clearinghouse services, IT provider, and cloud backup provider. If a vendor cannot provide or sign a BAA, they cannot legally handle your patient data.

Limit Vendor Access

Not every vendor needs full access to your systems. Work with your IT provider to ensure vendors only have access to what they need to do their job. Remote access sessions should be logged and time-limited where possible.

Have a Vendor Breach Response Plan

If one of your vendors tells you they have been breached, you need to know what to do immediately. Isolate any connections to that vendor. Assess whether your patient data was involved. Notify your IT provider and your attorney. Document everything.

Frequently Asked Questions

If my vendor gets hacked, am I responsible under HIPAA?

Yes. If patient data entrusted to a business associate is exposed, you as the covered entity are still responsible for notifying affected patients. The vendor shares liability, but you cannot simply point to the vendor and walk away from your obligations.

How do I know which vendors have access to my patient data?

Your IT provider should be able to give you a complete list of all third-party access points to your systems and data. If you do not have this list, that is itself a compliance gap that needs to be addressed.

Do software vendors like Dentrix and Open Dental carry cybersecurity protections?

Major practice management platforms have their own security measures, but no software is immune. Dentrix Ascend, for example, is SOC 2 Type II certified, which provides third-party verification of security controls. Cloud-based platforms generally handle infrastructure security while your practice remains responsible for endpoint security, staff training, and access controls.

What is the difference between a BAA and a cybersecurity audit?

A BAA is a legal agreement that outlines each party’s obligations under HIPAA. A cybersecurity audit is an independent review of a vendor’s actual security practices. One is paperwork. The other is proof. Both matter, and many practices only have one.

Is your dental practice protected?

Ekim IT Solutions works exclusively with dental practices. We serve New England and New York with on-site support and dental practices nationwide with remote support. Security, compliance, and everything in between so you can focus on patients.

Schedule a Fit Call: Find out in 15 minutes if we are the right fit for your practice.

• Ezra Angelo
• • October 21, 2025
Share: