Dental Practice Ransomware Settlement

A single-location dental practice in Indiana paid a $350,000 state settlement after a 2020 ransomware attack went unreported for two years — a case that shows how delayed disclosure can cost more than the breach itself.
What happened in this dental ransomware case?
Ransomware encrypted a server containing treatment plans, dental charts, and biometric data at the practice. The files could not be recovered internally, and the practice was locked out of its own patient records.
The breach was not reported to regulators until two years after it occurred. When investigators reviewed the case, they found the scope had been understated, and they uncovered separate HIPAA violations unrelated to the ransomware itself — including patient details disclosed in public social media and online review responses.
How much did the breach cost the practice?
The state settlement totaled $350,000. The terms also required mandatory staff HIPAA retraining and a court-ordered overhaul of the practice's data security protocols. These costs came on top of the original downtime and data loss from the ransomware event itself — they did not replace it.
Why did the two-year delay make this worse?
HIPAA requires breach notification within a defined window after discovery. A two-year gap between the incident and disclosure is itself a compliance violation, separate from the ransomware attack. Regulators treat delayed or downplayed disclosure as an aggravating factor, not a neutral one — it signals an absence of an incident response process, which increases both the fine and the scrutiny applied to everything else found during the investigation.
What would a managed IT provider have done differently?
- No detection caught the attack until files were already encrypted. Around-the-clock monitoring flags ransomware behavior — mass file encryption, abnormal access patterns — before it spreads across the practice.
- Server-side patient data was unrecoverable once encrypted. Encrypted, regularly tested off-site backups turn a ransomware event into a same-day restore, not a permanent loss.
- A two-year gap passed before HIPAA notification went out. A documented incident response plan defines breach-assessment and notification timelines in advance, so disclosure happens within the legally required window instead of years later.
- Unrelated privacy violations surfaced only because regulators went looking. Ongoing staff training on HIPAA-compliant communication closes that kind of gap before it ever becomes part of a regulatory finding.
The bottom line
This wasn't a sophisticated, unstoppable attack. It was one unmonitored server and a practice with no incident response plan — the exact gap a fixed-fee managed IT partnership is built to close.





