Dental Tech Companies Suffer Ransomware Attack

Abstract Malware Ransomware virus encrypted files with keypad on binary bit red background. Vector illustration cybercrime and cyber security concept.

Two dental technology companies recently had their systems held hostage by ransomware attacks, affecting an estimated 400 dental practices. 

If you are a dental professional that relies on a third-party company to store your patients’ protected health information (PHI), you must have a Business Associate Agreement (BAA) in place to ensure that you are not held liable for such third-party failures. You can get a free BAA for your practice by signing up for CEDR’s on-demand HIPAA training program, which is free to use for the first year.


What Is Ransomware?

Ransomware is malicious software that encrypts the data on a system so that it cannot be accessed by the owner of the data (or anyone else who relies on it). The information cannot be decrypted (or accessed) until the company pays a ransom to the attackers. 


The use of ransomware by hackers is on the rise. 

In August, two dental technology companies had their systems attacked by ransomware. The two companies stored PHI for their customers (dental practices), including full medical records. One day it was there, the next it was completely inaccessible. 

Medical and billing records were suddenly gone for all practices that used the software that had been hacked. For some, even their appointment schedules and patient contact information were gone. All those practices could do was wait for patients to show up and then tell them that they could not be seen.


Your business doesn’t need to be hacked directly to suffer from a ransomware attack.

It wasn’t even the provider’s systems that were hit with ransomware — it was the software vendors’ systems, which had been trusted as the custodian of the dental providers’ data. The practices themselves could have done everything right and this still would have happened. 

HIPAA guidelines and IT best practices tell dental practices to encrypt PHI in order to prevent attackers from accessing the data. Had the practices not encrypted through their third party software companies, those practices could have been facing an enormous HIPAA breach. 

What happened here, unfortunately, is that the data was properly encrypted, and therefore PHI wasn’t accessible to the attackers. What the attackers did was re-encrypt that already-encrypted data, making it virtually impossible to access without both encryption keys. This made it so that the dental practices couldn’t access any of the information they needed to run their businesses. 


Get Free HIPAA Training + a Free BAA from CEDR HR Soltutions


This incident highlights two key HIPAA requirements. 

First, practices need to have a contingency plan.

A contingency plan is your backup option — what you would do if all of your data was suddenly gone. A contingency plan is required by HIPAA. It could also prove useful if you ever find yourself in a situation in which a third party with access to your patients’ PHI is hacked.

Ask yourself if you could continue to operate if all of the electronic PHI you rely on was suddenly gone. If the answer is “no,” then you need to put a contingency plan in place, not only to comply with HIPAA, but to also have a plan if something like this happens to you. 

Practically, this will mean backups — backups that are stored somewhere separate from the primary system that houses the data. Even paper or removable media back-ups could be necessary. Generally, this is within the purview of your IT provider and wouldn’t be something you do yourself, but it should be something you make sure your IT provider does.


The other key requirement is solely your responsibility: the Business Associate Agreement. 

When a dental or medical practice gives any third party access to its patients’ PHI, if that third party isn’t already covered by HIPAA then it is considered a “business associate.” The practice is therefore required by HIPAA to enter into a Business Associate Agreement (BAA) with them. 


What is a Business Associate Agreement?

A Business Associate Agreement is essentially a contract saying that a third party (or “business associate”) who is given PHI by a healthcare practice must protect that data as if they were covered by HIPAA regulations themselves. 


How does a BAA work?

The effect of a BAA is very important: it shifts the legal liability of protecting PHI shared between a practice and a third-party business associate from the practice to the business associate. 

If the business associate doesn’t follow the regulations and the PHI is breached or ransomed, then the business associate is liable for any resulting fines or lawsuits — instead of the dental or medical practice. If a business associate agreement is not signed, then the practice is liable for whatever the non-provider does with that PHI.

If any of the healthcare-provider customers of the two companies who had their data ransomed failed to execute a BAA prior to the attack, those providers could be in for some stiff penalties.

The BAA is much more than a simple formality — it is a tool intended to help you shift liability away from your practice and onto any business who might potentially mishandle your patients’ PHI.

As with the mandate that healthcare providers have a contingency plan for accessing and protecting PHI, executing a BAA is also required by HIPAA. But, in addition to being a legal requirement, BAA’s are also critical pieces of legal protection for any healthcare provider that gives its patients’ PHI to non-covered entities for any reason.


For more about Business Associate Agreements, or to download the official model template from CEDR, take a look at

CEDR’s HIPAA Training Knowledge Base

. If you have not yet registered for your free one-year trial of CEDR’s HIPAA training program, click here to sign up so that you can access that information.




Sep 24, 2019

Friendly Disclaimer: This information is general in nature and is not intended to provide legal advice or replace individual guidance about a specific issue with an attorney or HR expert. The information on this page is general human resources guidance that is believed to be current as of the date of publication. Note that CEDR is not a law firm, and as the law is always changing, you should consult with a qualified attorney or HR expert who is familiar with all of the facts of your situation before making a decision about any human resources or employment law matter.
Related Reading
Episode 105: Artificial Intelligence and HR?!
Episode 105: Artificial Intelligence and HR?!

For this episode of What the Hell Just Happened?! Paul Edwards discusses how artificial intelligence (AI) is working its way into the world of business ownership and management with CEDR Senior Solution Center Advisor Halisi Tambuzi. Can AI be unintentionally biased? If so, how would that affect your practice? How can you prepare for a world of AI integration? Listen as Paul and Halisi analyze the risk that AI can create if used without caution, as well as how you still may be able to find ways to leverage the value of this emerging technology to streamline HR processes at your practice.

read more
Episode 104: Can I Mandate Vaccines for New Employees?
Episode 104: Can I Mandate Vaccines for New Employees?

For this episode of What the Hell Just Happened?! Paul Edwards discusses the ever-evolving world of COVID vaccine mandates with CEDR Compliance Officer Nora Gustafson, including if you, as an employer, can require your new hires to get vaccinated before starting employment with you. Are you legally allowed to make vaccination a requirement? Can you list it as a requirement in your job ad? Or, do you have to leave it all alone and hope your new hires are doing what you’d ideally like them to do? Listen as Paul and Nora analyze the risks associated with vaccine mandates and explain how to handle them in a safe and legally compliant way.

read more
Episode 103: The Half-Million-Dollar Birthday Party
Episode 103: The Half-Million-Dollar Birthday Party

For the third episode of What the Hell Just Happened? Paul Edwards has a conversation with CEDR Social Media Coordinator and Compliance Expert Ally Dagnino to discuss a common issue – mental health and other medical accommodations in the workplace. Can you choose which accommodations to implement? Will your business get in trouble if requested accommodations are not met? How do you know which ones are valid? Listen as Paul and Ally analyze the risks associated with this scenario and hash out how to handle it in a safe and legally compliant way.

read more
Share This