Threat Intelligence & Incident Response
Why ransomware operators target dental practices, how attacks land on Dentrix and Eaglesoft, what a real incident week looks like, and the controls that actually break the chain.
A practitioner note for practice owners, office managers, and the IT generalists who keep dental offices running. This article assumes you are not a security professional and that you have other things to do today than read about ransomware. I will keep it concrete.
Dental practices have become one of the most consistently targeted small business categories in 2025 and into 2026. That is not a marketing line. It is what the incident data, the insurance carriers, and the threat actor leak sites all show. If you run or support a dental practice with two to twelve operatories, you are inside the target zone.
This article covers why, how the attack actually lands, what the first hour and the first week look like, and what controls genuinely break the chain.
Ransomware operators are economically rational. Dental practices check almost every box.
Downtime is expensive relative to practice size. A single-doctor practice typically produces five to fifteen thousand dollars a day in collected production. Stop the practice management system and you stop the production line. Patients still arrive, but you cannot pull a chart, submit a claim, or in many cases legally treat someone without access to their medical history.
Records retention is legally required. State dental boards typically require patient records to be retained for five to ten years past the last visit, longer for minors. A practice cannot quietly walk away from its data. The attacker knows this.
There is almost never in-house IT. Most practices use a generalist managed service provider — often the same one who installed the digital sensors and the VoIP phones.
Closures are predictable. Most practices are closed Friday afternoon through Monday morning plus most federal holidays. Operators time their detonations to these windows so encryption has 48 to 72 hours to complete before anyone walks back in.
Internal segmentation is weak. Reception, operatory chairside computers, the doctor's laptop, and the practice management server are typically on one flat network. Front desk wifi often reaches the server VLAN. The MSP has domain admin across every machine, with the same password used at three other practices.
That last point matters more than most owners realize.
This is not one group — it is an ecosystem. Names that show up most often in healthcare-adjacent SMB intrusions over the last 18 months include Black Basta, ALPHV/BlackCat (the brand collapsed in 2024 but affiliates moved laterally), Royal (rebranded toward BlackSuit), LockBit affiliates, Akira, Play, BianLian, and Hunters International. Several operate as ransomware-as-a-service: the affiliate hitting your practice is not the crew that wrote the encryptor. The affiliate buys access, runs the playbook, takes a cut. The playbooks are remarkably consistent.
It usually starts with a phishing email to the office manager or the billing person. Not the doctor. The office manager has the inboxes that matter — insurance correspondence, vendor invoices, payroll, practice management vendor support — and clicks a lot of links during a normal day because the job requires it.
The lure is a fake invoice, a fake insurance EOB, a fake DocuSign, or a fake voicemail. The payload is a loader — historically Qakbot, then Pikabot after Qakbot's takedown, and more recently DarkGate, IcedID variants, or Latrodectus. The loader does not encrypt anything. Its job is to phone home, establish persistence, and let the operator inside.
Within hours to days, the operator harvests credentials from the infected workstation: browser-stored passwords, cached Windows credentials, RDP histories. If the MSP saved a domain admin password in the office manager's browser — and they often did — game over.
Lateral movement is mechanical. The operator pivots to the practice management server because the network is flat and the credentials work everywhere. They drop a command-and-control beacon — Cobalt Strike is still most common, with Sliver, Brute Ratel, and NetSupport RAT in heavy rotation. They look for backups, the practice management SQL database, and the imaging archive.
Then they exfiltrate. Modern ransomware is double-extortion. The operator copies the patient database out — names, dates of birth, Social Security numbers, insurance IDs, treatment notes, imaging — before encryption. Even if your backups are perfect, the data is gone and the threat to publish it on a leak site is real.
Encryption happens last, usually Friday evening or the night before a holiday. By Saturday morning, every file on every machine is unreadable and there is a ransom note on every desktop.
Dentrix, Eaglesoft, Open Dental, Curve, Denticon — the product varies but the architecture does not. The PMS runs a database, almost always Microsoft SQL Server, that contains the patient ledger, treatment plans, perio charting, insurance claims, scheduling, billing, and references to imaging.
Encrypt that database and you have encrypted the practice. The front desk cannot check anyone in. The hygienist cannot pull a chart. The billing person cannot submit a claim. The doctor cannot legally see a patient whose medical history is inaccessible. The phone keeps ringing. One machine, encrypted, stops the business.
If you are reading this in the middle of an active incident:
Disconnect the network switch. Not the internet — the switch. Unplug it from power, or pull every cable. Unplugging the WAN router still lets the malware finish encrypting your LAN.
Do not turn off the encrypted machines. Forensics needs the memory. Lock them, disconnect from the network, leave them powered on.
Call your cyber insurance carrier first. Before the threat actor, before your MSP, before the FBI. Your policy almost certainly requires their panel of incident response, breach counsel, and negotiation vendors. Engaging your own people first can invalidate coverage. The 24/7 hotline is on your policy.
Document everything on paper. Not on the laptops — the laptops are evidence.
Confirm offsite backups exist and are unreachable from the compromised network. Do not connect to them. Call the backup vendor. If backups were on the same network or used the same credentials, assume they are gone.
Do not pay anything yet. Do not click links in the ransom note. Insurance counsel will manage that.
The first week is structured by HIPAA and by your insurance carrier, in roughly that order.
A forensics firm engaged by the carrier will image affected systems, identify the entry point, determine what was exfiltrated, and confirm whether the threat actor is still in your environment — usually three to seven days for a small practice.
Under the HIPAA Breach Notification Rule, a ransomware incident on systems containing ePHI is presumed to be a breach unless you can demonstrate a low probability the data was compromised. With modern double-extortion ransomware, you almost never can. The clock starts at discovery.
For breaches affecting fewer than 500 individuals, you have up to 60 days from discovery to notify affected patients in writing, and you submit the breach to HHS OCR within 60 days of the end of the calendar year. For breaches affecting 500 or more individuals, you must notify affected individuals, HHS, and prominent media outlets in the affected state without unreasonable delay and no later than 60 days from discovery.
In parallel, breach counsel drafts notification letters, the insurance claim is opened formally, and the rebuild is planned. The rebuild is almost never a restore-in-place. It is a clean rebuild with new credentials and a verified-clean restore of the practice management database from a backup point earlier than the initial intrusion.
Recovery is realistically five to twenty-one days for full operation. I have seen practices back up in three days when everything was right, and take six weeks when the backups were also encrypted.
This is the section that matters. Everything above is what happens when nothing is in place. Here is what stops it.
Managed EDR on every endpoint, including the PMS server. Non-negotiable. For most of our dental clients we deploy Huntress Managed EDR. The ransomware canary feature catches encryption behavior in sub-millisecond time and isolates the affected machine automatically. More importantly, the loader stage — Qakbot, DarkGate, Latrodectus — gets caught and investigated by the SOC before lateral movement begins. See the Managed Detection and Response service page.
Managed ITDR on Microsoft 365. The phishing email that starts the chain lands in someone's inbox. Identity threat detection catches the account takeover and the malicious inbox rules that follow. Most practices we onboard already had a compromised mailbox they did not know about. Details on the Managed ITDR service page.
MFA on every administrative account, especially the PMS admin. Not SMS. App-based or hardware token. If MFA is on the admin account, the credentials stolen from the office manager's browser do not work.
Immutable offsite backups following the 3-2-1-1-0 rule. Three copies, two media types, one offsite, one immutable or air-gapped, zero errors on the last verified restore. Tested quarterly. If your backup vendor cannot show you a successful restore test from last quarter, you do not have backups — you have a subscription.
Least privilege on the PMS service account. The SQL Server service account does not need to be a domain admin. The PMS admin user does not need local admin on workstations. Privilege gets reused as the attacker moves.
Network segmentation between front-of-house wifi and the PMS server. Patient wifi and the staff network should not be the same network, and neither should reach the PMS server directly.
A documented incident response plan and a cyber insurance policy you have actually read. Both linked from the cyber insurance readiness page.
Most practices use a generalist MSP. That MSP almost certainly has domain admin or PMS admin credentials, almost certainly reuses those credentials across multiple practices, and almost certainly accesses your network via a remote management tool — ConnectWise ScreenConnect, N-able, Datto RMM, Kaseya, Atera — which is itself a high-value target and has been the entry point for several mass-impact intrusions over the last two years.
This is not an indictment of every MSP. It is a structural reality. Your MSP's security posture is functionally your security posture. Ask whether they have MFA on their RMM, EDR on their technician laptops, and a credential vault that is not a spreadsheet. The good ones will be glad you asked.
If the answers are uncomfortable, that is information. The security layer needs to be operated independently of the IT layer, by someone accountable for security outcomes specifically.
I have to address this directly because it is the question every owner asks.
The honest answer: probably not, and not without your insurance carrier's pre-approval, and not without OFAC sanctions screening on the operator.
Paying does not guarantee data return. The decryptor may be broken, slow, or partial. The threat actor may publish the exfiltrated data anyway. Some operators are sanctioned by the US Treasury's OFAC, which makes paying them a federal violation regardless of operational pressure. Most policies now require carrier pre-approval and exclude payments to sanctioned entities.
The FBI's standing guidance is to not pay. I align with that guidance. But I have sat with practice owners whose backups failed and who paid because the alternative was losing the business. The point is that the decision should be made with breach counsel and the carrier on the call, not in a panic at 9 p.m. on a Saturday with a ransom note on the screen.
Three things, in this order.
Read your cyber insurance policy. Specifically the required-controls section, the notification timeline, and the incident response panel. If your current controls do not match what the policy requires, fix that gap before you need to file a claim.
Audit who has administrative access to your practice management system, your Microsoft 365 tenant, and your backup system. Remove anyone who should not be there. Confirm MFA on everyone who remains.
Schedule a backup restore test. Not a verification — an actual restore of the practice management database to a non-production environment, performed by your IT provider, witnessed by you, with a written confirmation that the restored database opened cleanly. If they cannot or will not do this, that is the answer to a question you needed answered.
If you want a second opinion on where your practice actually stands, that is what we do. A short call — no obligation, no sales pitch, just a practitioner walking through the gaps. The cyber insurance readiness page is a reasonable place to start.
Attackers do not need your practice to be unprepared. They need it to be more unprepared than the one next door. Closing that gap is achievable, and the controls that close it are not exotic — they are operational discipline applied consistently, by someone whose job it actually is.
Last updated
May 14, 2026. We refresh this content as the threat landscape and tools evolve.
FAQ
Dental practices combine high downtime cost, legally required record retention, predictable closures on Saturdays and holidays, weak network segmentation, and almost no in-house IT. The practice management system is a single database that runs the entire business, which means encrypting it stops production immediately. Attackers know practices are more likely to pay because they cannot bill, treat, or even look up a patient until the system comes back.
Disconnect the network switch — not just the internet. Power down or isolate every workstation that may have touched the practice management server. Call your cyber insurance carrier before you do anything else, including before you read or respond to a ransom note. Document everything in a paper notebook because your laptops are evidence. Confirm that your offsite, immutable backups still exist and are not reachable from the compromised network.
No. The FBI continues to advise against paying. Paying does not guarantee data return, your decryptor may be slow or broken, and certain operators are sanctioned by OFAC — which makes payment a legal problem on top of an operational one. Some practices have paid because their backups failed, but that is a recovery-of-last-resort decision and most insurers now require pre-approval before any payment is made.
Often yes, but only if you meet the policy's required controls. Insurers increasingly require MFA on privileged accounts, EDR or MDR coverage on all endpoints, tested offsite backups, and email security controls. If those controls were not in place at the time of the incident, the claim can be denied or reduced. Read your policy before you need it.
Under the HIPAA Breach Notification Rule, you must notify affected individuals without unreasonable delay and no later than 60 days from discovery. For breaches affecting 500 or more individuals, you must also notify HHS and prominent media outlets in the affected state without unreasonable delay and no later than 60 days. For under 500 individuals, HHS is notified annually. Most ransomware events on a practice management system are presumptively reportable because patient data is presumed accessed unless you can demonstrate a low probability of compromise.
Test them. A backup you have never restored is a wish, not a backup. The 3-2-1-1-0 rule is the working standard: three copies, two media types, one offsite, one immutable or air-gapped, with zero errors on the last verified restore. Quarterly test restores of the practice management database to a non-production environment is the minimum I recommend.
Managed Detection and Response gives you a 24/7 SOC watching endpoint behavior — including the practice management server — and ransomware canaries that fire in sub-millisecond time when encryption starts. The point is not that prevention will always work. The point is that when a loader lands at 6 p.m. on a Friday, someone is investigating it before encryption begins, and the affected machine can be isolated automatically before it talks to the rest of your network.
Five to twenty-one days for a full practice management system restore, depending on backup quality, the size of the patient database, whether the insurance carrier's incident response firm is engaged quickly, and whether the threat actor exfiltrated data. Practices that had tested immutable backups, MDR coverage, and an incident response retainer in place are usually on the shorter end. Practices that discover their backup vendor was also encrypted are on the longer end, or worse.
Related reading
How BEC and wire fraud actually unfold in a dental practice — the supplier-impersonation pattern, the inbox-rule trick, the controls that catch it, and what to do in the first 4 hours.
Read articleAn anonymized engagement narrative — what an Identity Threat Detection & Response save actually looks like when an attacker tries to redirect payroll wire instructions over a long weekend.
Read articleLearn how to build a phishing training program for small business employees with realistic simulations, easy reporting, and metrics that matter.
Read article