Dental Practice Ransomware Settlement

michael • June 29, 2026

Share this article

A single-location dental practice in Indiana paid a $350,000 state settlement after a 2020 ransomware attack went unreported for two years — a case that shows how delayed disclosure can cost more than the breach itself.


What happened in this dental ransomware case?


Ransomware encrypted a server containing treatment plans, dental charts, and biometric data at the practice. The files could not be recovered internally, and the practice was locked out of its own patient records.

The breach was not reported to regulators until two years after it occurred. When investigators reviewed the case, they found the scope had been understated, and they uncovered separate HIPAA violations unrelated to the ransomware itself — including patient details disclosed in public social media and online review responses.


How much did the breach cost the practice?


The state settlement totaled $350,000. The terms also required mandatory staff HIPAA retraining and a court-ordered overhaul of the practice's data security protocols. These costs came on top of the original downtime and data loss from the ransomware event itself — they did not replace it.


Why did the two-year delay make this worse?


HIPAA requires breach notification within a defined window after discovery. A two-year gap between the incident and disclosure is itself a compliance violation, separate from the ransomware attack. Regulators treat delayed or downplayed disclosure as an aggravating factor, not a neutral one — it signals an absence of an incident response process, which increases both the fine and the scrutiny applied to everything else found during the investigation.


What would a managed IT provider have done differently?


  • No detection caught the attack until files were already encrypted. Around-the-clock monitoring flags ransomware behavior — mass file encryption, abnormal access patterns — before it spreads across the practice.


  • Server-side patient data was unrecoverable once encrypted. Encrypted, regularly tested off-site backups turn a ransomware event into a same-day restore, not a permanent loss.


  • A two-year gap passed before HIPAA notification went out. A documented incident response plan defines breach-assessment and notification timelines in advance, so disclosure happens within the legally required window instead of years later.


  • Unrelated privacy violations surfaced only because regulators went looking. Ongoing staff training on HIPAA-compliant communication closes that kind of gap before it ever becomes part of a regulatory finding.


The bottom line


This wasn't a sophisticated, unstoppable attack. It was one unmonitored server and a practice with no incident response plan — the exact gap a fixed-fee managed IT partnership is built to close.

Recent Posts

By michael April 16, 2026
Vault Technologies Case Study — Synology 4‑Bay NAS Recovery for GoodGardens
By michael March 12, 2026
This is a subtitle for your new post
By michael March 12, 2026
Case Study: Emergency Data Recovery for a Time‑Sensitive Project
By michael February 24, 2026
Why Vault Technologies Is Becoming Oregon's Trusted IT Partner for Senior Care — and Beyond In a crowded field of MSPs, most companies promise the same things: "fast support," "reliable service," "expert technicians." But the organizations we serve aren't looking for another generic IT provider. They're looking for a partner who understands the stakes of what they do — and shows up with the discipline, documentation, and clarity to match. That's exactly why Vault Technologies was built. As a Service-Disabled Veteran-Owned and Woman-Owned business, we built Vault on the values that shaped our careers: precision, integrity, and accountability. We don't believe in vague promises or confusing pricing. We believe in clear expectations, transparent processes, and IT support that feels like a partnership rather than a gamble. That's what makes Vault different — and it's the thread running through everything we've built since. Built on Discipline, Documentation, and Trust Most MSPs operate behind the curtain. Clients rarely know what's happening, what's included, or what they're paying for. Vault Technologies takes the opposite approach. We document everything. We communicate proactively. We set boundaries clearly. We price transparently — flat, per-seat, per-month, with no hourly billing surprises. Our clients know exactly what we do, how we do it, and what to expect at every step. That clarity builds trust — and trust is the foundation of every long-term partnership we have. A Rare Hybrid: IT Expertise and Clinical Understanding One of the biggest gaps in healthcare IT is the divide between people who understand technology and people who understand care delivery. Most MSPs only know the former. Vault closes that gap. Our co-founder Kristina brings 15 years of nursing experience, including hospice and home care, to every conversation we have with assisted living, home health, and hospice clients. We don't just know what EHR downtime looks like on a dashboard — we know what it means for a med-pass window or a shift change when systems fail. That's a hybrid skillset almost no other MSP in Oregon can offer, and it's why we built our service tiers — Foundation, Continuum, and Vigil — specifically around the realities of shift-based care, not a generic 9-to-5 business clock. A Partner Built for Other MSPs, Too Vault isn't just direct-to-client. We're also structured to support other MSPs who need additional capacity without the overhead of hiring. Through our white-label and subcontracting model, we offer: Overflow ticket capacity when an MSP's queue gets ahead of them Standing capacity partnerships for MSPs ready to free up their senior techs Full-scope backend delivery for MSPs that want to focus on sales and relationships while we run help desk, NOC, security, and M365 administration behind the scenes Every tier comes with clear, published pricing and a transparent application process — because the same documentation-first approach we bring to direct clients applies to our MSP partners too. Certified and Ready for Government and Prime Contracting As a certified SDVOSB, VOSB, WOSB, and EDWOSB small business, Vault is also positioned to support federal, state, and local agencies, as well as prime contractors building out their subcontracting base. We're registered in SAM.gov and eligible for set-aside and sole-source opportunities — backed by the same audit-ready documentation and disciplined execution that defines how we operate everywhere else. Veteran Values, Applied Everywhere We Work Being veteran-owned isn't a marketing slogan for us — it's a mindset. It shows up in how we communicate. It shows up in how we document. It shows up in how we treat clients and partners alike. It shows up in how we build systems that scale — whether that's a single assisted living facility or an MSP partner's entire book of business. Why Organizations Choose Vault Technologies Organizations across Oregon and beyond choose Vault because we offer: Clear, transparent, per-seat pricing Professional, jargon-free communication Documented, audit-ready processes Veteran-level discipline Real clinical understanding for senior care and home health A scalable model for MSP partnerships and government contracting A modern, approachable brand built on substance, not slogans We're not trying to be the biggest MSP in Oregon. We're becoming the most trusted — for the care organizations who depend on us, the MSPs who partner with us, and the agencies who need a certified, capable small business they can rely on. The Future of Vault Technologies  Our mission is simple: become the most trusted IT partner for the organizations that value clarity, reliability, and professionalism — whether that's a senior care facility that can't afford technology failure, an MSP looking for a dependable subcontractor, or an agency seeking a certified small business partner. This is the standard we hold ourselves to, and the standard our clients and partners have come to expect.