A dental practice may not picture itself as a target for cybercriminals, but attackers see it differently. Your office holds full names, dates of birth, Social Security numbers, insurance details, treatment histories, and digital images like X-rays and CBCT scans. That is a complete identity theft kit, stored in one place and often behind lighter security than a hospital would use. Under HIPAA, a solo dental office is held to the same core standards as a large medical group, and the Office for Civil Rights has already fined dental practices directly.
Why dental practices are an attractive target
Two things make dental offices appealing to attackers. First, the data is valuable. Second, the defenses are often thin. Many practices still run their practice management and imaging software, such as Dentrix, Eaglesoft, or Open Dental, on an aging on-site server that has not been patched in months. Staff frequently share a single login, remote access is left open for a software vendor, and backups are rarely tested.
Common weak points we see in dental offices include:
- One shared administrator password used by the whole front desk
- No multi-factor authentication on email or remote access
- Imaging and operatory computers running outdated Windows versions
- A flat network where guest Wi-Fi and the server sit together
- Backups that exist but have never been tested with a real restore
- No signed business associate agreement with software or billing vendors
Any one of these gaps can turn a single phishing click into a full practice shutdown. Dental practices have been hit repeatedly by ransomware and email account compromise, with patient data exposed in attacks reported at dental offices across the country.
What HIPAA requires of a dental office today
HIPAA is not optional for dental practices, and the size of the office does not change the rules. Three obligations deserve special attention.
A documented risk analysis
The HIPAA Security Rule requires every practice to complete and maintain a security risk analysis that identifies where electronic protected health information lives and what threatens it. This is the single most common finding in OCR investigations, and “we never got around to it” is not a defense. A proper HIPAA risk assessment is the foundation that everything else builds on.
Patient right of access
Patients have the right to a copy of their records, in most cases within 30 days. This sounds minor, but it is one of the most enforced parts of HIPAA. In 2022, OCR settled three separate cases with dental practices that failed to provide timely access, with penalties ranging from 25,000 to 80,000 dollars. The lesson is simple: enforcement reaches small dental offices, not just hospitals.
Vendors and breach notification
If a vendor touches your patient data, you need a signed business associate agreement with that vendor. And if a breach occurs, you must notify affected patients and HHS. Breaches affecting 500 or more people are posted publicly on the HHS breach portal, where any prospective patient can find them.
What is changing in 2026
HHS has proposed the most significant overhaul of the HIPAA Security Rule in two decades. The proposed rule, published in early 2025, would make several safeguards mandatory that many practices still treat as optional. These include multi-factor authentication for all access to systems holding patient data, encryption of that data at rest and in transit, and a written inventory of every device that touches it. As of mid 2026 the rule is not yet final, but the direction is clear, and practices that adopt these controls now will not be scrambling later.
A practical checklist to lower your risk
- Complete a documented HIPAA risk analysis and fix what it finds
- Turn on multi-factor authentication for email, remote access, and your practice management system
- Encrypt laptops, servers, and any device that stores images or records
- Follow a 3-2-1 backup plan and test a real restore at least quarterly
- Patch or replace operatory and imaging computers still on old Windows versions
- Separate guest Wi-Fi from the network your server and workstations use
- Sign business associate agreements with every vendor that handles patient data
- Train the whole team to spot phishing, since most attacks start with an email
How ACS helps dental practices
Atlantic Computer Systems provides HIPAA compliance services and managed IT services for healthcare practices across the Bay Area, New England, and nationwide. We handle the risk analysis, the security controls, the backups, the cybersecurity monitoring, and the documentation, so your team can focus on patients instead of firewalls.
Frequently asked questions
Does HIPAA apply to a small dental practice?
Yes. Any dental practice that transmits health information electronically, which includes electronic claims and most modern billing, is a covered entity under HIPAA. Practice size does not change the obligation.
Is my practice management software vendor responsible for HIPAA compliance?
No. A vendor like Dentrix or Eaglesoft may sign a business associate agreement and secure their part of the system, but the practice stays responsible for its own workstations, staff, network, and documentation. Compliance cannot be fully outsourced to software.
Do we really need multi-factor authentication?
In practice, yes. MFA is one of the most effective ways to stop account takeover, it is widely required by cyber insurers, and it is part of the proposed 2026 HIPAA Security Rule updates. Turning it on now is a low cost, high value step.
What happens if our dental practice has a data breach?
You must notify affected patients and HHS, and breaches affecting 500 or more people are posted publicly. Beyond the penalty risk, there are notification costs, downtime, and lost patient trust. A tested backup and a written response plan reduce the damage.
How do we find out where our practice stands?
The fastest way is a professional HIPAA and security risk assessment that reviews your systems against current requirements and flags the gaps. That is exactly where we start with new dental clients.
Book your free consultation
Ready to find out where your practice stands? Book a free IT and security consultation with Atlantic Computer Systems at https://calendly.com/glewis-acs-tech/free-it-security-assessment, or call 1-650-300-7557. We will review your current setup, flag your biggest risks, and show you a clear path to compliance, with no obligation.


