For Dental & Medical Practices

The Ransom Note in the Waiting Room: When Ransomware Comes for Your Practice

Published June 1, 2026 · 9 min read · By the ScamDrill Team
Editorial cover reading ‘When ransomware comes for your practice’ beside a ring showing 88% of small-business breaches involved ransomware, with three stats: 1.2 million-plus patient records exposed, $1.165M in HIPAA settlements, and a 58% rise in healthcare ransomware

A patient in Indiana called her dentist to ask for copies of her x-rays. The office told her they could not help. Someone had “hacked” the computers, they said, and the images were gone. She had never received a breach notice. She did not know that a ransomware attack had quietly hit the practice, that no forensic investigation was ever done, or that the office’s entire set of HIPAA policies sat in a binder at one location with no sign anyone had ever followed them. She just wanted her x-rays. What she set in motion instead, after she complained to the state, was a $350,000 settlement and a cautionary tale for every small practice in the country.

That is the real shape of healthcare cybercrime right now. The headlines go to the hospital chains, but the quiet, repeated, financially brutal attacks land on dental offices, family clinics, imaging centers, and specialty practices with a few locations and one part-time IT contact. They get hit not in spite of being small, but because of it.

Why a twelve-person dental office is a prime target

For years the assumption in small practices was comforting and wrong: we are too small to bother with. The data says the opposite. In Verizon’s 2025 Data Breach Investigations Report, ransomware was a factor in 88% of breaches at small and medium businesses, against 39% at large organizations. Attackers are not reaching small offices by accident. They are concentrating there.

Figure 01 · Who ransomware actually hits

Small & midsize businesses 88% Large organizations 39% Share of 2025 data breaches that involved ransomware. ScamDrill

Source: Verizon 2025 Data Breach Investigations Report.

The reason is a simple risk-to-reward calculation. A patient chart is worth far more to a criminal than a stolen credit card number, because a card can be cancelled in minutes and a medical record cannot. It carries a Social Security number, a date of birth, an insurance ID, a home address, and a permanent health history, which is everything needed for identity theft, insurance fraud, and targeted follow-on scams. A single 2025 breach at Absolute Dental, a Nevada group with more than fifty locations, exposed the data of over 1.2 million people, including Social Security numbers, driver’s license and passport details, and treatment information.

1.2 million+ patients had their personal and health information exposed in a single 2025 dental-group ransomware incident. The records included Social Security numbers, passport and license data, and treatment histories, the kind of file that cannot be reissued the way a credit card can.
Source: HIPAA Journal, Absolute Dental breach disclosure, 2025.

Now pair that value with the defenses. A typical practice runs on a busy front desk, an outside IT vendor who shows up when something breaks, and clinical software that gets patched late so updates do not interrupt the schedule. That last habit is more dangerous than it sounds. Exploited software vulnerabilities were the single leading root cause of healthcare ransomware in 2025. The valuable data and the thin defense sit in the same building, and the attackers know it.

How the attack actually works

Ransomware is malicious software that locks your files by encrypting them, then demands a payment for the key that unlocks them. The mechanics of getting it into a practice are less exotic than most people expect. Three doors account for the overwhelming majority of cases.

Figure 02 · How ransomware gets into a practice

Phishing email A fake invoice, lab result, or claim notice. Open remote access RDP exposed to the internet, no MFA. Unpatched software A known flaw left open too long. Inside the network Copy the patient data first (often over days), then encrypt everything. Systems locked Charts, x-rays, and scheduling frozen. A ransom is demanded. Patient data exposed A reportable HIPAA breach, with leak threats on top. ScamDrill

A practice breach almost always has two outcomes at once: an operational crisis and a regulatory one.

The first door is a phishing email. Someone on staff opens what looks like an invoice, a lab result, or an insurance notice, and a single click hands over a password or runs a hidden installer. Phishing has gotten dramatically more convincing: Microsoft’s 2025 Digital Defense Report measured a 54% click-through rate on phishing emails written by AI, against 12% for the human-written kind. The misspelled, clumsy scam email is going extinct.

The second door is remote access left open. Many practices and dental service organizations use remote desktop (RDP) so an IT contractor can log in after hours. When that connection faces the open internet without multi-factor authentication, it is an unlocked back door, and automated tools scan for it constantly. The third door is unpatched software, where a known and already-fixed flaw is left in place long enough for someone to walk through it.

Here is the part that surprises owners most. Modern crews do not encrypt first. They get in quietly, look around, and copy the patient database over hours or days before they ever lock anything. The encryption is just the alarm clock. By the time the screens go red and the ransom note appears, your data has already left the building. That is why restoring from a backup, while essential, does not end the problem. This shift from simple encryption to data theft plus encryption plus public leak threats is now the default, and some groups skip the encryption entirely and run on the threat to publish alone.

2025 was a roll call of small-practice breaches

These are not hypotheticals. A short list from a single year, all reported through the HHS breach portal and tracked by the HIPAA Journal, shows how routine this has become:

The common thread is not technical sophistication. It is that each was a normal practice doing normal work, with defenses that were a step behind the people probing them.

The part most owners underestimate: the HIPAA bill

For a practice, the ransom is rarely the most expensive line item. The regulatory aftermath is. Under federal guidance, when ransomware encrypts electronic protected health information, it is presumed to be a reportable breach unless the practice can demonstrate a low probability that the data was compromised. That presumption is the trap. It means a ransomware hit is a HIPAA event by default, which triggers the duty to notify every affected patient, and for any breach of 500 or more records, to notify HHS and the media as well.

Then comes the investigation. The HHS Office for Civil Rights has run a Risk Analysis Initiative since late 2024, and the single most common finding across its ransomware settlements is the same sentence, over and over: the entity failed to conduct an accurate and thorough risk analysis. In April 2026 alone, OCR settled four ransomware cases covering more than 427,000 patients for a combined $1,165,000. One of them traced back to a single phishing email opened in July 2020. The penalties are not reserved for hospitals. They land on imaging centers, benefits administrators, and dental practices with the same language attached.

Figure 03 · The ransom is the cheapest part

Median ransom paid $115K Typical HIPAA settlement (OCR, 2026) up to $375K Average recovery cost, excluding ransom $1.02M Healthcare downtime, per day $1.9M / day ScamDrill

Category benchmarks, not a single bill. Sources: Verizon 2025 DBIR (ransom), HHS OCR 2026 settlements, Sophos State of Ransomware in Healthcare 2025 (recovery), Healthcare IT News (downtime).

Why backups alone will not save you

Good backups get your schedule running again. They do nothing about the copy of your patient data the attacker already took. Restoring from backup does not cancel the breach-notification clock, does not stop a leak-site posting, and does not satisfy OCR that you had a defensible security program. Backups are necessary. They are not a complete answer on their own.

What to watch for

Because crews often sit inside a network for days before they trigger anything, the early signals are subtle and easy to wave off as “the computers being slow.” Train the whole team to flag these, not just the IT contact:

Early warning signs

Five things to do this month

None of this requires a hospital budget. It requires deciding that the practice is a target and acting like one before the incident, not after.

  1. Put multi-factor authentication on everything that faces outward. Email, remote access, and your practice-management login. If RDP is exposed to the internet, close it or place it behind a VPN with MFA today. This one change blocks the most common entry routes.
  2. Keep offline, tested backups. A backup the attacker can also reach gets encrypted along with everything else. Keep at least one copy offline or immutable, and actually test a restore so you know it works.
  3. Patch on a real schedule. Set a recurring window for updates to clinical software, the operating system, and network gear, and hold your IT vendor to it in writing.
  4. Do the written risk analysis. It is required by the HIPAA Security Rule, it is the first thing OCR asks for, and its absence is the finding that turns a breach into a six-figure settlement. A current, documented analysis is the cheapest insurance you can buy.
  5. Train and test your team. Since most attacks start with a person clicking, ongoing phishing practice is the highest-leverage habit a small office has. Our 30-day phishing-simulation rollout for small teams is a realistic starting point, and the broader social-engineering playbook for SMBs covers the rest.

Find the click before a criminal does.

ScamDrill sends safe, realistic phishing and scam simulations to your staff, with an instant teachable moment the second someone clicks. It turns the front desk from your softest target into your first line of defense, for a tiny fraction of the cost of one breach.

Start free →

The takeaway

The patient in Indiana did not bring down her dentist with a sophisticated hack. She just asked for her x-rays and would not let it go. The attack had already happened. The settlement came from everything the practice failed to do before and after. For a small office, the lesson is not that the threat is unbeatable. It is that the basics, MFA, backups, patching, a written risk analysis, and a trained team, are exactly what separate a bad week from a closed practice. The crews betting against you are counting on those basics staying undone.

Frequently asked questions

Why would a hacker target a small dental or medical practice?

Because the data is valuable and the defenses are thin. A patient chart holds a Social Security number, a date of birth, insurance details, and a medical history, which is worth far more on criminal markets than a stolen credit card. Meanwhile most small practices run on a lean front desk, an outside IT vendor, and software that is patched late so it does not disrupt the schedule. Verizon’s 2025 Data Breach Investigations Report found ransomware was a factor in 88% of breaches at small and medium businesses, compared with 39% at large organizations. Attackers are not picking practices despite their size. They are picking them because of it.

How does ransomware usually get into a practice?

Three doors account for most cases. The first is a phishing email that a staff member opens, often a fake invoice, lab result, or insurance notice. The second is a remote desktop (RDP) connection left open to the internet without multi-factor authentication, which many practices use for after-hours IT support. The third is unpatched software with a known vulnerability. Exploited vulnerabilities were the single leading root cause of healthcare ransomware in 2025. Once inside, attackers quietly copy patient data before they encrypt anything.

Is a ransomware attack automatically a HIPAA breach?

Federal guidance treats the encryption of electronic protected health information by ransomware as a presumed breach unless the practice can demonstrate a low probability that the data was compromised. That presumption triggers the HIPAA Breach Notification Rule: affected patients must be notified, and breaches affecting 500 or more individuals must be reported to HHS and the media without unreasonable delay. The single most common finding in HHS ransomware settlements is the failure to conduct an accurate and thorough risk analysis, which the Security Rule requires of every covered entity regardless of size.

Should a practice pay the ransom?

CISA, the FBI, and most cyber insurers strongly discourage paying. Paying does not guarantee you get the data back, does not stop attackers from leaking it, and may violate sanctions if the group is on a prohibited list. In Verizon’s 2025 data, 64% of ransomware victims chose not to pay, up from 50% two years earlier, and the median payment fell to $115,000. The better insurance is offline, tested backups plus a written response plan, decided long before an incident.

What are the early warning signs of a ransomware intrusion?

Watch for practice-management or imaging software that suddenly runs slow or crashes, files that will not open or have strange new extensions, antivirus or backups that were turned off without explanation, new mailbox rules quietly forwarding email, and staff logins from unfamiliar locations or at odd hours. Many crews sit inside a network for days before they trigger encryption, so unusual remote-access activity is often the first and only signal you get.

Keep reading

Your Business Just Got Scammed. Now What?

The first 60 minutes, first 24 hours, and first 72 hours after a ransomware or wire-fraud hit. The incident-response playbook to have ready before you need it.

Social Engineering Targeting SMBs

Roughly 68% of breaches start with a person being deceived, not a system being hacked. The pretexting and phishing tactics hitting small organizations, and the defenses that hold.

Phishing Simulation for Small Teams: 30-Day Rollout

Exactly what to send, when, and how to turn a clicked test into a teachable moment instead of a blame session. From baseline to measurable risk reduction.

Join our free newsletter to stay ahead of the scammers

Receive updates on monthly scam trends, along with best practices to protect yourself and those you care about.