Three Major Dental DSOs Got Hit By Ransomware This Summer. Yours Isn't Immune.

Three Major dental DSOs Got Hit By Ransomware This Summer. Yours Isn't Immune.

In June and July 2024, three dental DSOs (one of the "Big Four," plus two mid-size regional networks) experienced ransomware attacks that locked down patient records for days. Appointments were cancelled. Treatment histories went offline. Billing systems stopped. Some practices couldn't see patient data for over a week.

The incidents were quietly managed. No breach notification letters. No press releases from corporate. Just internal chaos and a message: "Your IT team is handling it."

If you're independent, you're thinking: "This is a DSO problem. I'm safer."

You're wrong. You're just more visible.

Why DSOs Look Like Targets (But Aren't the Only Ones)

Ransomware gangs follow basic economics: target high-revenue, low-security environments where someone will pay quickly.

DSOs are attractive because:

Centralized data:

All practices feeding into one network. One breach = 50-500 locations compromised simultaneously. Threat actor's leverage multiplies.

Easy leverage:

Hackers encrypt everything, then call corporate saying: "We have 2 million patient records. $500K and we delete them." Most DSOs pay within 24-48 hours.

Older infrastructure:

Large organizations run legacy systems. They're integrating multiple acquired practices with different IT stacks. Security holes pile up.

Cost cutting on security:

DSOs employ IT generalists, not security specialists. They patch things slowly. They don't have 24/7 SOCs (security operations centers). They're vulnerable.

What you *don't* see: solo practices getting hit with targeted ransomware. They do get hit, but less often and less effectively.

Why? Because a hacker encrypting your practice's 500 patient records has almost no leverage. You can't pay $100K+ because your business doesn't survive 24 hours of being offline, much less 2 weeks while you negotiate. So the hacker moves on to easier targets - DSOs, hospitals, larger groups.

But here's the dark truth: ransomware gangs are getting smarter. They're now targeting small practices, not for immediate payment, but for

patient data to sell

. They encrypt your files, offer to "sell" you decryption keys, but the real money comes from selling your patient list to identity theft rings or dental scam operations.

Your patient data is worth $20-50 per record on the dark web. 500 patient records = $10,000-25,000. It's a different business model, but it's coming.

What Actually Happened in Those DSO Attacks

Based on public information from affected organizations and industry reporting, here's roughly what went down:

Attack Vector:

Phishing emails to administrative staff at one location. Someone clicked a link, entered their network credentials. Attacker had access.

Propagation:

Once in the network, the attacker spent 2-3 weeks moving laterally, finding the centralized backup system (usually the crown jewel). They disabled or corrupted backups so even offline restores weren't possible.

Encryption:

They hit the server. Entire network went dark. All connected practices lost access simultaneously.

Ransom demand:

$500K-2M depending on organization size. Threat included patient data release or sale.

Resolution:

DSOs paid (quietly). They restored from whatever backups they could find offline. Processes took days to a week.

Aftermath:

Hundreds of appointments cancelled. Patients worried about data breach. Press went silent because law enforcement and carriers advised against public disclosure (not for security reasons, but for negotiation reasons).

The really damaging part? The backup strategy was the weak point. Centralized backups on the same network as production systems. No air-gapped backup (offline, disconnected). No immutable backups that can't be encrypted. They had to restore from incrementals and old tapes.

Your Practice's Actual Risk

Let's be honest about your security posture. You probably have:

One practice management system:

Dentrix, Eaglesoft, or Open Dental, running on a practice workstation or cloud-based

One or two backups:

Automatic daily backup to a cloud service (Carbonite, Backblaze, or built-in)

Zero security budget:

You have no IT person. You call someone when something breaks.

Average security practices:

You use passwords. You maybe have two-factor authentication on some accounts. You click links in emails without thinking.

Here's your realistic threat profile:

Phishing attack:

60% likely in any given year. Someone on your team clicks a link, enters credentials. Attacker now has access to your network.

Lateral movement:

30% likely if they get that first credential. They move to your practice management system, find the backup system, and understand your setup.

Encryption:

15% likely after successful lateral movement. They encrypt your files.

Payment demand:

If they encrypt your files, your chance of being targeted for ransom (vs. data sale) is maybe 5-10%. If you're a solo practice, they'll try data extortion (selling your patient list) instead.

Net risk: You have a 5-15% chance of ransomware this year if you're typical. That's low, but not zero.

What You Should Actually Do

Implement air-gapped backups.

Your daily cloud backup is fine, but once per week, download your backup locally to an external hard drive that stays disconnected from your network. Store it offsite (home safe, parent's house, anywhere). Cost: $200-500. Time: 30 minutes to set up automation.

Create immutable backups.

Some cloud backup services (AWS, Azure) offer immutable snapshots - backups that *can't* be deleted or encrypted even if someone has your credentials. If you're on a professional cloud platform, enable this. It costs 10-20% more but makes ransom recovery possible.

Implement security basics.

This sounds obvious, but most practices don't do this:

Require unique, strong passwords for all staff (use a password manager)

Enable two-factor authentication on critical accounts (email, practice management system admin account, backup service)

Conduct quarterly phishing training (honestly, hire a third party to send fake phishing emails to your team and retrain anyone who clicks)

Keep software updated. Don't skip practice management software updates.

Test your recovery process.

Here's the thing: most practices have backups they've never tested. You don't know if they actually work. Once per year, restore your practice management system from backup to a test environment and verify you can see all your data. If you can't, you don't have a backup - you have a decoration.

Get cyber liability insurance.

It costs $2,000-4,000 per year. It covers ransomware negotiation, legal fees, and sometimes payment. It also incentivizes you to maintain good security (if you don't, they deny coverage). It's a forcing function to actually do the work above.

The Hard Conversation

You're not going to do most of this. You're going to read it, think "that's important," and move on. When (not if) ransomware becomes part of your year, you'll be scrambling, and you'll pay $50K-100K to a recovery service to restore your data.

Alternatively, you pay $10K-15K upfront in insurance, backups, and security tools. You spend 20 hours this quarter setting it up. Then you move on with your practice, knowing you're protected.

The DSOs that got hit this summer probably spent millions on recovery and lost millions more in productivity. Independent practices that get hit spend $50K-200K. But practices with basic security? They spend nothing.

The question isn't whether ransomware will come for you. It's whether you'll be ready when it does.

OPERATOR MATH

Let's calculate the cost of a ransomware attack vs. the cost of prevention:

Ransomware scenario (unprotected practice): Ransom demand: $50K (small practice). Recovery services: $30K (forensics, data restoration). Lost revenue: 5 days offline × $4,000/day = $20K. Regulatory fines (HIPAA breach notification): $10K-$50K depending on severity. Patient notification and credit monitoring: $15K. Reputation damage and patient attrition: $25K (10% of patients leave). Total cost: $150K-$190K.

Prevention scenario: Cyber liability insurance: $3,000/year. Air-gapped backup system (external drive + offsite storage): $500 setup + $200/year maintenance. Immutable cloud backup upgrade: $600/year (20% premium on existing backup). Phishing training: $500/year. Two-factor authentication setup: $0 (free with most platforms). Annual backup recovery test: $500 (IT consultant). Total year-1 cost: $5,300. Ongoing annual cost: $4,800.

5-year comparison: Unprotected: 15% chance of attack per year = 75% cumulative chance over 5 years × $170K average cost = $127,500 expected loss. Protected: $5,300 + ($4,800 × 4) = $24,500 total cost. Net savings: $103,000 over 5 years.

You're gambling $127K in expected losses to avoid spending $24K in protection. That's not risk management. That's hope.

THE TAKEAWAY

This week, buy an external 2TB hard drive ($80) and set up a weekly offline backup of your practice management system. Store it at home, disconnected from your network. Next week, call your insurance broker and get cyber liability insurance quotes ($3K/year). Enable two-factor authentication on your email and practice management admin account (takes 15 minutes). Schedule an annual backup recovery test with your IT provider ($500). These four actions cost you $5,000 in year one and protect you from $150K-$200K in ransomware losses. The DSOs that got hit this summer wish they'd done this. Don't wait for your turn.