What to Do If Your Dental Practice Has a Data Breach: The First 60 Days (2026)

The first hour: contain it, but don't destroy the evidence

Your instinct will be to make the problem disappear. Resist deleting anything. The same logs and forensic data you might be tempted to wipe are exactly what you will need to prove what happened and to answer regulators later. The first hour sets up everything that follows.

• Isolate, don't wipe or power down. Disconnect affected devices from the network to stop the spread, but leave them running and intact. Shutting a machine off can overwrite forensic evidence that shows how the attacker got in.
• Bring in a third-party forensics firm, not just your IT company. The people who set up your network are not always the right ones to investigate a breach inside it. A dedicated cybersecurity or digital-forensics team works out how the attacker got in, what they reached, and whether data actually left the building.
• Start a written timeline. Record when you first noticed something, what you saw, and every step you take. The discovery date drives every deadline that follows.
• Call your cyber-insurer. If you carry cyber coverage, notify them right away. Many policies require prompt notice and provide a breach coach who runs the response, and some deny claims if you act on your own first.
• Report it to the FBI. Filing with the FBI's Internet Crime Complaint Center at ic3.gov is voluntary, but law enforcement may share intelligence on the attacker and occasionally help with recovery. It does not replace your duty to notify patients.
• Don't rush to pay a ransom. Paying does not erase your notification obligations, and the FBI generally discourages it. Make that call with counsel and your insurer, not in a panic.

Is this even a reportable breach?

Not every security scare is a reportable breach, but HIPAA puts the burden on you to prove it isn't. A breach can take many shapes: ransomware that locks your records, a lost or stolen laptop, an email sent to the wrong patient, a former employee who copied files on the way out, a stolen server, or patient information pasted into a public AI tool, or a breach at the AI scribe vendor that records your visits. Whatever the cause, the same test applies.

Under the Breach Notification Rule (45 CFR 164.402), any impermissible use or disclosure of unsecured protected health information is presumed to be a breach unless you can show a low probability that the information was compromised. You make that call through a documented four-factor risk assessment that weighs the nature of the data involved, who received it, whether it was actually viewed or acquired, and how far the risk has since been contained.

Two words decide whether the rule applies at all. "Unsecured" patient information is data that has not been encrypted or destroyed to the standard HHS specifies; if a stolen laptop was properly encrypted, you may fall under the encryption safe harbor and owe no notification, while data sitting in plain text gets no such protection. "Discovered" is defined broadly: a breach is treated as discovered on the first day anyone on your team knew about it, or reasonably should have (45 CFR 164.404(a)(2)), so your 60-day clock can start running before you have all the facts.

Ransomware deserves a separate note. Owners often assume that if the attacker only locked the data instead of stealing it, nothing was really "disclosed." OCR rejects that reasoning. Its Ransomware Fact Sheet is blunt:

When ePHI is encrypted in a ransomware attack, "a breach has occurred because the ePHI encrypted by the ransomware was acquired."

The attacker taking control of your data is itself the breach, and notification is presumed required unless your risk assessment shows a low probability of compromise.

The 60-day clock: exactly who you must notify

Once you have confirmed a reportable breach, HIPAA's Breach Notification Rule (45 CFR 164.400 through 164.414) lays out who hears about it and when. For a solo or small dental practice, four notifications can apply.

A real case: the report that opened the door

In December 2020, a small New York neurology practice called Comprehensive Neurology, PC reported to the HHS Office for Civil Rights that its entire IT network, including all of its electronic patient records, had been encrypted by ransomware. About 6,800 people were affected. The exposed data included names, clinical information, Social Security numbers, and driver's license numbers.

Here is the part most practice owners miss. The breach report Comprehensive was legally required to file is the same document that opened a federal investigation. And the first thing investigators looked for was something every covered entity must already have: an accurate, thorough risk analysis of where its patient data lived and how it was protected (45 CFR 164.308(a)(1)). Comprehensive didn't have one. In April 2025 it agreed to pay $25,000 and to operate under a corrective action plan monitored by OCR for two years.

The dollar figure is small by enforcement standards. The lesson is not. OCR did not penalize the practice for being attacked; ransomware hits well-run organizations too. It acted because, when investigators asked the practice to show how it had assessed its own risks, there was nothing to show.

The fine is rarely the worst part. A ransomware attack can freeze your scheduling, billing, and imaging for days, and a breach notice arriving in your patients' mailboxes can cost trust that took years to build. Those losses are harder to measure than a settlement, and they are why the response you run in the first week matters as much as any check you might eventually write.

The hard part of a breach isn't fixing the gaps. It's knowing which ones you have before OCR does. The HIPAA Risk Scorecard checks the 10 things OCR looks at first, then gives you a short risk review and an intro to a vetted specialist. It takes about 3 minutes. Check my practice →

What OCR looks for after a breach

A breach report triggers a review of your entire security program, not just the incident. Drawing on its own guidance from the Comprehensive case, OCR expects a practice to produce a current risk analysis showing where electronic patient data enters, moves through, and leaves its systems, alongside a risk management plan that actually closes the gaps that analysis found. It looks for audit controls that record and let you review system activity, encryption of patient data in transit and at rest where appropriate, workforce training built around your practice and each person's real job, and evidence that you fed the lessons from any incident back into how you work.

None of this is about the attack itself. It is about whether you ran a real compliance program before it happened. That is the gap between owning a free risk-assessment template and having something that would hold up under an OCR review.

A free self-assessment tool will get you started. It won't tell you whether your program would survive a breach report landing on a regulator's desk tomorrow. If you want a clear read on where your practice actually stands, start with the Scorecard.

How to make sure you never read this in a panic

Breach response is the expensive end of HIPAA. The cheap end is prevention, and it begins with the same document OCR asked Comprehensive for. We break down what a dental HIPAA risk assessment costs separately. If you are reading this before anything has gone wrong, this is where your attention pays off most. A handful of moves cover most of the risk for a small dental practice:

• Run a real risk analysis, then fix what it finds. This is the single most-cited failure in OCR settlements. We break down what one involves in our guide to HIPAA risk assessments for dental practices.
• Encrypt laptops, backups, and any device that touches patient data, so a lost or stolen device falls under the safe harbor.
• Sign a business associate agreement with every vendor that handles patient data, and require fast breach reporting inside it.
• Train your team on phishing and basic security, since most breaches start with a click.
• Put the free-AI line in writing, so patient details never land in a public chatbot. The staff AI-use policy a small practice needs takes one page.
• Keep tested, offline backups, so ransomware can't take your records hostage.

If a colleague's breach is what brought you here, the honest next step is to find out whether your own practice would hold up, which is exactly what the Scorecard is built to show you before a regulator ever asks. And if you want to understand what a federal investigation involves before you ever face one, we walk through it in what happens when a dental practice fails a HIPAA audit.

The catch: where this gets complicated

A few things trip up small practices:

• Small breaches still require patient notice. The under-500 rule changes only when you tell HHS, not whether you tell the people affected. They still get notified within 60 days.
• "Discovery" may be earlier than you think. If a staff member noticed something odd weeks ago, your clock may have started then, not on the day you formally confirmed the breach.
• You carry the burden of proof. If you decide an incident was not a reportable breach, you must document the risk assessment that justifies it (45 CFR 164.414). "We assumed it was fine" is not a defense.
• State law often adds rules. Most states have their own breach-notification laws, some with shorter deadlines or different triggers than HIPAA. Check your state's requirements, or have someone check them for you.

This article is general information, not legal advice. Breach decisions depend on facts specific to your practice; confirm current requirements with the U.S. Department of Health and Human Services or qualified counsel before you act. The case and rules described here come from HHS and the Code of Federal Regulations.

About the author

Dolev Arama is the founder of Hipsana, where he runs the HIPAA Risk Scorecard and the short practice risk reviews behind it. He is not an attorney, and Hipsana is a publisher and referral service, not a law firm or a healthcare provider. Its compliance writing starts from primary regulators (HHS, OCR, NIST) and is checked against their current text before anything goes live. More about Hipsana →

Sources

• HHS Office for Civil Rights, Resolution Agreement and press release, Comprehensive Neurology, PC (April 2025).
• HHS Office for Civil Rights, Ransomware Fact Sheet.
• 45 CFR §§ 164.400-414, Breach Notification Rule (eCFR, current).
• 45 CFR § 164.308(a)(1) (eCFR, current).
• FBI Internet Crime Complaint Center (ic3.gov).