Ransomware at a Dental Practice: What HIPAA Requires and What to Do First (2026)

This article explains what HIPAA requires of a dental practice facing a ransomware attack. It is general information, not legal advice for your specific situation. For that, consult a healthcare attorney or a qualified HIPAA compliance professional.

If a ransomware attack is happening right now

The first hour sets up everything that follows, and most of it is about not making the situation worse. The steps below come from federal cyber-defense guidance and from how cyber insurers run a claim. They are practice, not a HIPAA rule, but they are how a small office keeps an incident from turning into a second crisis.

Is a ransomware attack a reportable breach?

In most cases, yes. The Office for Civil Rights, the part of HHS that enforces HIPAA, takes the position that when ransomware encrypts patient data, the data has been acquired by someone who was not allowed to have it, which makes the attack a disclosure that was not permitted. From there, the Breach Notification Rule presumes a reportable breach unless you can show, with a documented risk assessment, a low probability that the information was compromised. OCR's Ransomware Fact Sheet says the same thing in plain terms.

To overcome that presumption, the rule requires you to weigh four specific factors and document the result:

• What information was involved, including how identifiable it is.
• Who the unauthorized person was, or who received the data.
• Whether the data was actually viewed or taken, not just exposed.
• How well the risk has since been reduced.

If that assessment does not land on a low probability of compromise, the attack is a reportable breach and the clock is running (45 CFR 164.402). There is one real exception. If the data was already encrypted to the standard HHS specifies, so that it was unreadable to the attacker, it may not count as unsecured information and the duty to notify may not apply. The catch is that the data has to have been unreadable at the moment of the attack. A laptop that was already powered on and logged in has its files decrypted and available, so its encryption does not help. Confirm what was actually protected before you rely on it.

Is this ransomware a reportable breach, at a glance

How fast do you have to act, and who do you have to tell?

The deadline is tied to a date most practices get wrong. The 60-day window to notify does not start when your investigation wraps up. It starts on the day the breach is discovered, which the rule defines as the first day anyone on your staff knew about it, or reasonably should have (45 CFR 164.404). Waiting for a final forensic report before you start the notification work is how practices miss the deadline.

Who you have to notify depends on size. Every affected patient must be told, in writing and without unreasonable delay, no later than 60 days after discovery. If the attack affects more than 500 residents of your state, you also have to notify prominent local media outlets, which for a busy practice is an uncomfortably low bar to cross. And you must notify HHS: at the same time as patients if 500 or more people are affected, or on an annual log for smaller breaches. The exact contents of each notice, and the steps to send them, are covered in our guide to responding to a dental data breach.

What OCR has actually done about this

This is not a theoretical risk for small practices. In April 2026, OCR announced four settlements at once, all following ransomware attacks, for a combined $1,165,000 covering more than 427,000 people. The organizations were different sizes and types, but the finding underneath every one was the same: none had done an accurate and thorough risk analysis, the assessment the Security Rule requires. OCR did not act against them for being attacked. It acted because the groundwork underneath was missing, above all the risk analysis that was never done.

The largest of the four shows how the pieces fit. Assured Imaging, a medical imaging provider in Arizona and California, had ransomware encrypt its electronic medical records in May 2020, exposing the data of 244,813 people. OCR found three problems: the practice could not show it had ever done a compliant risk analysis, it had impermissibly disclosed patient data, and it had not notified the affected people in time. It paid $375,000 and accepted two years of federal monitoring. The ransomware was the event. The missing groundwork was the violation.

A ransomware attack tests the groundwork you laid long before it, and the practices that get hit hardest are usually the ones whose foundation was thin to begin with. The free HIPAA Scorecard checks ten core Security Rule controls that line up with what OCR pointed to in these cases, including the risk analysis every one of these settlements turned on and whether you keep usable backups, then names your biggest gap in about three minutes. It does not run a ransomware drill, but it shows whether the foundation an attack would test is actually in place.

How to be ready before it happens

Readiness for ransomware is mostly readiness for two questions an investigator will ask: could you recover without the attacker, and had you done the work to see the risk coming. Both are things you set up on a quiet day, not during an incident.

The first is backups, and the detail that matters is where they live. A backup that is always connected to your network is a backup the ransomware can encrypt along with everything else, which is exactly what happened to hundreds of dental offices in 2019 when attackers reached the cloud service their records were backed up to. The common standard in the industry is called 3-2-1-1-0:

• Three copies of your data.
• On two different kinds of media.
• With one copy stored off-site.
• One copy kept offline or unchangeable, where ransomware cannot reach it.
• Tested until a restore comes back with zero errors.

That is an industry practice, not a HIPAA rule. What HIPAA requires is narrower but related: a data backup plan, a disaster recovery plan, and an emergency mode operation plan, all of which are required, not optional, parts of the Security Rule's contingency standard.

The second is the groundwork OCR keeps citing. A documented risk analysis finds the gaps before an attacker does, and turning on multi-factor authentication closes the most common way ransomware gets in. There is one more reason to do this work in advance. If you ever face the question of whether to pay a ransom, the Treasury Department's sanctions office treats strong backups, an incident response plan, and prompt reporting to law enforcement as factors that count in your favor.

Whether to pay is not a decision to make alone or in the moment. The government strongly discourages it, and paying a ransom can violate U.S. sanctions law if the money reaches a sanctioned group, a risk that applies even if you did not know who was behind the attack. Paying also does not remove your duty to notify patients and HHS. Leave that decision to your breach counsel, your insurer, and law enforcement, who can check the payment against the sanctions list and weigh whether it makes sense at all.

About the author

Dolev Arama is Hipsana's founder. He's the one behind the Scorecard and the short risk reviews it produces. He is not an attorney, and Hipsana is a publisher and referral service, not a law firm or a healthcare provider. The writing here starts where the rules actually live, at HHS, OCR, and NIST, and gets checked against their current text before it goes up. Regulatory claims trace back to those sources, and figures name where they come from; anything that can't be verified is labeled rather than asserted. More about Hipsana →

Sources

• U.S. Department of Health and Human Services, Office for Civil Rights, “Fact Sheet: Ransomware and HIPAA” (hhs.gov, accessed June 2026): when ransomware encrypts electronic protected health information, the data is considered acquired and the incident is presumed to be a reportable breach unless a four-factor risk assessment shows a low probability of compromise.
• 45 CFR § 164.402 (definition of breach and the four-factor risk assessment) and 45 CFR § 164.414(b) (the covered entity or business associate bears the burden of proof) (eCFR, current as of June 2026).
• 45 CFR § 164.404 (notify affected individuals without unreasonable delay and no later than 60 days after discovery), § 164.406 (notify prominent media for a breach affecting more than 500 residents of a State or jurisdiction), and § 164.408 (notify the Secretary, contemporaneously for 500 or more individuals and on an annual log for smaller breaches) (eCFR, current as of June 2026).
• 45 CFR § 164.308(a)(1)(ii)(A) (risk analysis, a required implementation specification), § 164.308(a)(6) (security incident procedures, required), and § 164.308(a)(7) (contingency plan, under which the data backup plan, disaster recovery plan, and emergency mode operation plan are each required) (eCFR, current as of June 2026).
• U.S. Department of Health and Human Services, Office for Civil Rights, “HHS’ Office for Civil Rights Settles Four HIPAA Security Rule Ransomware Investigations” (hhs.gov, April 23, 2026): four settlements totaling $1,165,000 over ransomware breaches affecting more than 427,000 individuals, each citing a failure to conduct an accurate and thorough risk analysis.
• U.S. Department of Health and Human Services, Office for Civil Rights, Assured Imaging Resolution Agreement and Corrective Action Plan (hhs.gov, April 2026): ransomware encrypted the practice’s electronic medical records in May 2020, affecting 244,813 individuals; OCR cited a missing risk analysis, an impermissible disclosure of protected health information, and untimely breach notification; the practice paid $375,000 and accepted a two-year corrective action plan; the settlement is not an admission of liability.
• Cybersecurity and Infrastructure Security Agency, #StopRansomware response guidance (cisa.gov, accessed June 2026): isolate affected systems rather than powering them down, use out-of-band communication during an incident, keep backups offline, and report incidents to the FBI.
• U.S. Department of the Treasury, Office of Foreign Assets Control, “Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments” (treasury.gov, September 21, 2021): the U.S. government discourages ransom payments, which can carry sanctions risk on a strict-liability basis, and lists strong cybersecurity practices and prompt reporting to law enforcement as mitigating factors.
• Reporting on the 2019 ransomware incidents at PerCSoft / Digital Dental Record (DDS Safe) and Complete Technology Solutions, which encrypted records at hundreds of U.S. dental practices through their shared IT and backup providers (Krebs on Security and the Wisconsin Dental Association, 2019), used here as industry illustration rather than as a regulatory source.