There are approximately 200,000 dental practices in the United States. The vast majority have never completed a formal HIPAA risk assessment. Not once.
That is not an assumption. It is what OCR investigators find, practice after practice, when they open an enforcement case. And dental offices are increasingly on their radar.
If you own or manage a dental practice, this post is going to cover what OCR is actually penalizing dental practices for right now, why your practice management software is likely creating compliance gaps you do not know about, and what your cyber insurance carrier is going to ask for at your next renewal — whether you are prepared or not.
Dental practices are not small, low-value targets. They are data-rich, security-poor, and increasingly on the map for ransomware operators.
Consider what a typical dental practice holds on every patient: full legal name, date of birth, Social Security number, insurance information, treatment history, X-rays and imaging, and financial payment data. That combination of personal, medical, and financial information is exactly what cybercriminals sell on dark web markets and exactly what makes a breach expensive to resolve.
At the same time, most dental practices run with one to five dentists, five to twenty-five total staff, and either no IT support at all or a local IT company that manages hardware and software but has no understanding of HIPAA security requirements. That gap between the value of your data and the maturity of your defenses is what makes dental offices attractive targets.
Cyberattacks on dental offices surged in 2025, with practices increasingly targeted for their data stores. This is not a trend that is slowing down.
The Office for Civil Rights does not only go after hospitals. Some of its most notable recent enforcement actions have been against solo and small-group dental practices.
The Right of Access rule — which requires practices to provide patients with timely access to their own records — has become one of OCR's most active enforcement areas. Dental practices repeatedly show up in these cases because their workflows around patient records are informal, undocumented, and handled differently by every staff member.
The pattern across nearly every enforcement action is the same: no HIPAA risk assessment on file, no written security policies, and no documented procedure for handling patient data requests.
This is one of the most common misconceptions in dental security, and it costs practices every year.
Dentrix, Eaglesoft, and Open Dental are the dominant practice management platforms in dentistry. Each of these vendors will tell you their software is built to support HIPAA compliance. What they will not tell you — because it is buried in your Business Associate Agreement — is that HIPAA compliance is your responsibility, not theirs. The software is a tool. How you configure it, who has access to it, how it is backed up, and whether it is connected to other systems securely is entirely on you.
The most common configuration gaps found in dental practice management software include:
None of these are software failures. They are configuration and process failures — and they are exactly what an OCR investigator or a ransomware group will find.
The 2025 HIPAA Security Rule update eliminated the distinction between "addressable" and "required" implementation specifications. That distinction was the loophole that allowed small practices to skip controls they deemed unreasonable or unnecessary. That loophole is now closed.
Here is what is now mandatory for every dental practice, regardless of size:
If your practice was not doing these things before, you are now out of compliance by default — not because of something you did wrong, but because the rules changed and most dental practices have not caught up.
Cyber insurance renewal is one of the most reliable triggers that sends dental practice owners looking for help, and the requirements have changed significantly in the past two years.
Most cyber insurance applications for healthcare practices now require you to document and verify:
If you cannot check those boxes, you are likely looking at a coverage denial, a significant premium increase, or a policy with exclusions that eliminate coverage for the exact scenarios you are trying to insure against.
The practices that wait until 30 days before renewal to figure this out are the ones that end up in a panic, accepting whatever terms they can get. The ones that address it now have leverage and documentation when the underwriter asks.
Not a full-time one. A full-time Chief Information Security Officer costs $200,000 to $400,000 per year. That is not the right model for a dental practice with eight employees and one location.
What a dental practice with eight employees does need is someone with CISO-level expertise who can:
That is what a fractional vCISO delivers, at a fraction of the cost of a full-time hire, and without the overhead of recruiting, onboarding, and retaining an executive-level employee.
If you manage a dental practice and you are not sure where your security posture stands, here is where to start.
Step 1: Pull your Business Associate Agreements.
List every vendor that touches patient data: your practice management software, billing company, cloud backup service, email provider, telehealth or patient communication platform. Every one of them needs a current, signed BAA. If you cannot find it, it may not exist.
Step 2: Audit your user accounts.
How many people have login access to your practice management software? When did you last remove a former employee's access? Do any accounts share a password? Role-based access controls and immediate deprovisioning of departed staff are two of the simplest and most impactful things you can do.
Step 3: Turn on MFA.
Multi-factor authentication is now a HIPAA requirement and a cyber insurance requirement. Turn it on for your practice management software, your email, and your billing platform. If your software does not support MFA natively, that is a gap worth flagging immediately.
Step 4: Verify your backups.
When were your patient records last backed up? Where are those backups stored? Have you ever tested whether you can actually restore from them? Encrypted, tested, off-site backups are the single most important technical control for surviving a ransomware attack.
Step 5: Schedule a HIPAA risk assessment.
Everything above feeds into a formal risk assessment, but the risk assessment is also where you find the gaps you did not know to look for. For a practice that has never had one, a HIPAA risk assessment is the starting point for building a defensible security program.
Most dental practices are operating with a significant gap between the sensitivity of their patient data and the security controls protecting it. That gap is visible to OCR, to ransomware operators, and increasingly to cyber insurance underwriters.
Closing that gap does not require a massive IT budget or a full-time security team. It requires a documented risk assessment, a few basic technical controls, and written policies that reflect how your practice actually operates.
If you are not sure where your practice stands, a 15-minute conversation is enough to identify your biggest exposure points and what it would take to address them.
Schedule a Free 15-Minute HIPAA Gap Call with Cybersecurity Advisory Group →
Melissa Thornton, CISSP, is the founder of Cybersecurity Advisory Group and a veteran healthcare CISO with experience securing large health systems and building security programs from the ground up for small practices. Cybersecurity Advisory Group serves dental offices, mental health clinics, home health agencies, and specialty practices across the NY/NJ/CT tri-state area.
