You’re Not Paranoid–Someone Really is Out to Get Your Patients’ PHI

The bad guys want to steal your patients’ data, and regulators want to punish you if the bad guys succeed.

Updated 6/30/20

The entire dental industry is in the crosshairs of regulators and lawyers who are focused on safeguarding protected health information (PHI). The “bad guys” want to steal your patients’ data, and regulators want to punish you if the bad guys succeed.

Most dental offices have the latest equipment and trained teams to provide excellent patient service, but when it comes to security, many are lacking. This is unfortunate because the dental industry suffers the same trends as healthcare in general: upticks in cyber-attacks, social engineering, malware, and cyber ransom that can cost millions of dollars in response, credit monitoring, and fines. And now the Office of Civil Rights (OCR) is taking a closer look at how PHI is protected–across all forms of health care, including dentistry.

No. 1 Cause of Breaches: Theft

It may be surprising to learn that half of all dental PHI breaches are due to theft. In one 2015 case in Nevada, 12,000 records were compromised when a device with unencrypted data was stolen. In another, a laptop was stolen from the car of a business associate that impacted 76,000 victims.

But other types of incidents are surfacing as well. One large group dental practice last year exposed 151,000 records– complete with patient names, Social Security numbers, birth dates, phone numbers, and home addresses–when hackers used malware to obtain an employee’s username and password for the practice’s membership database.

Theft is Just the Beginning

Theft and hacking are just the beginning. An increasingly popular tactic is crypto-ransomware, a type of malicious software (malware) that infects a computer and restricts access to it until a ransom is paid to unlock it.

In fact, ransomware has become so pervasive, the FBI has warned that ransomware has become one of the biggest threats to consumers and businesses. Victims can be infected by clicking on links in malicious emails that appear to be from legitimate businesses and through compromised advertisements on popular websites. Or they can become victims simply by visiting the wrong website, as discovered in one major case in California, where a hacker used cryptoransomware downloaded via browser drive-by (visiting compromised websites) that resulted in the practice being taken offline for several days until backups were recovered. Data recovery was only the beginning of that hack; the dental practice had to notify regulators, and a federal investigation ensued.

Data breaches can be crippling to dental organizations. They can face millions of dollars in losses due to lost business, fines, remediation, and litigation.

How Protected Are You?

One way for dentists to help avoid a PHI breach or loss is to regularly conduct HIPAA security risk assessments (SRAs) in their practices. SRAs look at the current state of affairs and then provide a remediation roadmap that helps the entire team correct gaps in compliance from a technical, physical and administrative perspective. Another way to lessen risks is to take advantage of cloud computing. Storing data in the cloud is a popular choice for dentists due to its agility and cost effectiveness. By moving their server from the office to the cloud, dentists can help defend themselves against the number one cause of compromised PHI–theft of the server due to unsecured in-office environments.

Henry Schein TechCentral and its security partner, ClearDATA, can conduct SRAs and offer cloud technologies and managed services that can play an important role in helping you protect your practice from data thieves. Visit for more information.

Learn More

To learn more about TechCentral security risk assessments call 877.483.0382 or visit

Some of the product(s) and/or service(s) described herein are provided by a third party. Henry Schein, Inc. and its affiliates (“HSI”) make no independent assessment of the content and descriptions provided by such third party, and this content does not constitute an endorsement by HSI. HSI is not responsible for, and expressly disclaims all liability for damages of any kind arising out of such third-party products or services. 

By Chris Bowen, Founder and Chief Privacy & Security Officer of ClearDATA

Originally published in Dentrix Magazine, Summer 2016