Dental practices look small from the outside and big from the attacker's side. A typical practice holds names, addresses, dates of birth, Social Security numbers, insurance details, and clinical records for thousands of patients, plus payment data and a full staff payroll — all sitting behind a network that's often as unmanaged as a home office. And every one of those practices can't operate when its PMS is locked. The combination is exactly what ransomware crews look for.
Below are the seven threats hitting practices most frequently in 2026, how each works, and the small set of controls that genuinely stops them.
The Seven Threats — and What Stops Each
Ransomware on the PMS
How it works
Attackers encrypt the practice's Dentrix, Eaglesoft, or Open Dental database — typically arriving through email or a vulnerable remote-access service. The practice can't schedule, chart, bill, or treat.
How to stop it
Tested offsite backups, EDR on every workstation, MFA on remote access, and an incident-response plan. Recovery is recoverable from clean backups — but only if they exist and have been tested.
Email account takeover
How it works
A phished credential lets an attacker into the practice's email — they read patient and insurance correspondence and use the mailbox to send malicious links or fake invoices to staff and patients.
How to stop it
MFA on email, account-compromise monitoring, and ongoing phishing training. MFA alone defeats the vast majority of these.
Insurance / EOB fraud
How it works
Attackers compromise the inbox or impersonate an insurer to redirect explanation-of-benefits payments or steal credentialing details. The money leaves before the practice notices.
How to stop it
Out-of-band verification of payment-instruction changes via a known phone number, plus the email security above.
X-ray and imaging device compromise
How it works
Intra-oral cameras, panoramic x-ray systems, and intraoral-scanner workstations often run outdated Windows builds with poor patching. They become a foothold an attacker uses to reach the PMS.
How to stop it
Network segmentation so imaging devices can't freely reach the PMS, patching where possible, and vendor pressure to keep systems supported.
Lost or stolen laptops/tablets without encryption
How it works
A device used by an associate or hygienist is stolen or left behind. If it's unencrypted and holds ePHI, that's a reportable breach under the HIPAA Breach Notification Rule.
How to stop it
BitLocker / FileVault encryption enabled and centrally managed; MDM on tablets; quick remote-wipe.
Vendor / business associate breaches
How it works
A third-party vendor — billing service, IT contractor, cloud-imaging provider — is breached and your patients' ePHI is exposed downstream. Many practices don't have BAAs in place.
How to stop it
A current Business Associate Agreement with every vendor that touches ePHI, plus vendor due diligence. We cover this in business associate agreements.
Insider mistakes and improper access
How it works
Staff turnover is high, shared workstations are common, and access often outlives employment. Old accounts and over-broad access are how casual incidents become reportable ones.
How to stop it
Least-privilege access, prompt offboarding, audit controls that log access, and a quarterly access review.
The Common Thread
Notice the same handful of controls appear over and over: MFA, EDR, tested backups, network segmentation, phishing training, vendor BAAs, and least-privilege access. That's not a coincidence — a small, well-operated control set covers the overwhelming majority of attacks against a dental practice. The general MFA playbook is in our plain-English MFA guide, and the broader HIPAA picture in HIPAA cybersecurity for small practices.
The HIPAA Wrapper Around It All
Every one of these threats has a HIPAA dimension too. A breach of unencrypted ePHI on a stolen laptop is a Breach Notification Rule event. A ransomware encryption that touched ePHI presumptively triggers notification unless you can show low probability of compromise. And under the Security Rule, the controls above aren't optional — a documented risk analysis is supposed to identify each of these threats in your environment, which is why HHS OCR cites the risk analysis most often in enforcement. We walk through what OCR wants in the HIPAA risk analysis HHS OCR actually wants.
The Bottom Line
A dental practice doesn't need to do everything to be safe — it needs to do the right things in the right order. Put MFA on email and the PMS, get EDR on every workstation, test the PMS backup quarterly, segment imaging devices, sign BAAs with every vendor, train staff, and review access. That covers the seven threats above and the great majority of what hits practices.
For how that operates as a managed service, see the cybersecurity for healthcare practices page, or the cost view in how much it costs for a medical or dental practice.
This article is general information, not legal or compliance advice.
Get the free HIPAA risk-analysis worksheet.
The fillable risk-analysis worksheet OCR actually wants — an ePHI inventory, threat-vulnerability mapping, likelihood and impact ratings, mitigation tracking, and a 9-step self-audit with a Security Official sign-off block.
Get the free worksheetCould Your Practice Handle a PMS Lockout?
A free 30-minute assessment maps your current controls against the seven threats above and the HIPAA Security Rule — and shows exactly where the gaps are before an attacker finds them.
Get a Free Assessment