No business is immune to cybercrime, and dental practices are prime targets for ransomware, hacking, and data theft. The sensitivity of patient data, combined with often inadequate cybersecurity measures and untrained staff, makes dentistry an attractive target for cybercriminals.
For one dentist, the reality of this danger hit hard when a single click on a seemingly innocent email attachment led to a ransomware attack that crippled their entire practice. The attack brought the office to a standstill for three days and forced the practice to pay a hefty ransom due to a failed backup system.
In this candid interview, the dentist shares their harrowing experience—from the initial shock of realizing their data was encrypted to the difficult decision of paying the ransom and the long road to recovery. More importantly, they offer valuable insights and advice to help other dental practices avoid a similar fate. This is a story of resilience, hard-earned lessons, and a stark reminder that cybersecurity must be a priority in every dental office.
Interview with Dr. “X” – Endodontist
To protect their reputation and privacy, we have chosen to shield the identity of Dr. “X” while sharing their valuable experience.
Initial Incident
1. Can you describe what happened when the ransomware attack first occurred? How did you first realize something was wrong?
We realized something was wrong when one of our staff members mentioned that they couldn’t access any patient files. At first, we thought it was a routine software issue, but then a message popped up on all our computers saying our files had been encrypted and demanding a ransom. It was terrifying and overwhelming.
2. What was the immediate reaction of your team when they realized the office was compromised?
Everyone was in shock. My staff was scared, and no one knew what to do. It took a few moments to process what was happening. We quickly disconnected our systems from the internet, but by then, it was too late. The damage had been done.
3. How did the ransomware infiltrate your system? What was the nature of the attachment that was clicked?
One of our receptionists received an email that looked like it was from a patient requesting an appointment. The email had an attachment labeled as “X-ray results,” and when she clicked on it, it triggered the ransomware. It was so normal looking and convincing that she didn’t question it.
Impact and Response
4. What were the immediate consequences of the attack on your practice operations?
We were completely paralyzed. We couldn’t access patient records, schedule appointments, or even see who was supposed to come in that day. It brought our practice to a standstill. We had to cancel all appointments and couldn’t operate for four and a half days.
5. How did you and your team handle the situation in the first hours and days following the attack?
After the initial shock, we contacted our IT provider, but they struggled to resolve the issue because the backup wasn’t working as expected. We also reached out to law enforcement, but they couldn’t do much. We eventually had to negotiate with the attackers and pay the ransom just to get our data back.
6. Can you walk us through the decision-making process that led to paying the ransom?
It was a tough decision. We debated it for hours, but without a backup, we had no choice. The ransom was the only way to recover our files quickly and get back to treating our patients. It felt like we were backed into a corner, with no good options.
Backup and Recovery
7. What did you discover about your backup systems after the attack? Why were you unable to recover from the backup?
We found out that our backup system hadn’t been working properly for months. There was an issue with the configuration, and we weren’t performing regular tests to ensure everything was backing up correctly. So, when we needed it most, it failed us.
8. How did the four-day downtime affect your practice financially and in terms of patient trust?
The financial impact was significant—we lost revenue from canceled appointments, and the ransom payment along with lost revenue, IT support, etc. was a big hit. More importantly, it damaged our patients’ trust and the trust of our referring dentists. They rely on us to keep their information safe, and we felt like we let them down.
9. What lessons did you learn about the importance of regular and verified backups?
This experience taught us that backups are only useful if they work. We’ve since implemented a much more robust backup system and now perform regular checks to ensure everything is backed up correctly. It’s a lesson I wish we had learned before this happened.
Prevention and Lessons Learned
10. What measures have you taken since the attack to ensure it doesn’t happen again?
We’ve completely overhauled our cybersecurity protocols. We now have stricter email filtering, regular staff training on phishing, and a stronger firewall. We’ve also hired a cybersecurity firm to conduct regular audits and monitor our systems.
11. How has this experience changed your approach to staff training and cybersecurity awareness?
Cybersecurity training is now a top priority. We do regular online training sessions to keep everyone on their toes. Our staff is much more cautious now, and they understand the importance of cybersecurity in protecting our practice.
12. What advice would you give to other dental practices to help them avoid a similar situation?
Don’t assume it won’t happen to you. Take cybersecurity seriously—invest in good cybersecurity consultants, train your staff, and make sure your backups are working by testing. It’s so humbling to realize that everything you’ve built can be wiped out in an instant.
13. In hindsight, what do you wish you had done differently before, during, and after the attack?
I wish we had invested in better cybersecurity sooner and performed regular backup tests. During the attack, I wish we had been better prepared with a response plan. Afterward, I realized we needed a more proactive approach to cybersecurity, not just a reactive one.
Long-Term Effects
14. How has the attack affected your relationship with your IT provider and any other vendors?
The attack strained our relationship with our IT provider because we felt they hadn’t done enough to protect us. We’ve since moved to a provider that specializes in cybersecurity for dental practices. We’ve also become more critical of our vendors, ensuring they meet higher security standards.
15. Were law enforcement able to help?
Law enforcement was limited in what they could do, which was frustrating. The cybersecurity professionals we worked with afterward were helpful, but I wish we had engaged them before the attack. It’s important to have experts on your side before something goes wrong.
Closing Thoughts
16. If you could go back, is there anything specific you would change in how your practice was managed before the attack?
I would have taken cybersecurity much more seriously from the start. We were focused on patient care and growing the practice, but we didn’t realize that cybersecurity is just as important in maintaining a successful practice.
17. How do you feel about the level of cybersecurity support available to dental practices today?
I think it’s improving, but there’s still a long way to go. Many dental practices don’t realize how vulnerable they are, and there aren’t enough resources tailored specifically for our industry. That needs to change.
18. What would you say to a fellow dentist who might think, “This won’t happen to me”?
I was one of those dentists who thought it wouldn’t happen to me, and I was wrong. Cybercriminals don’t discriminate—they target everyone. Investing in cybersecurity now is much cheaper and less painful than dealing with an attack later.
We sincerely thank Dr. “X” for their candid and insightful interview. We hope this conversation helps other dentists avoid the trauma of a ransomware attack or other cyber threats. By learning from Dr. “X’s” experience, we encourage all dental practices to take proactive steps in strengthening their cybersecurity defenses, ensuring the safety of their patients’ data, and maintaining the trust and integrity of their practice.
About the Author
Anne Genge is a Certified Information Privacy and Security Professional, and a Certified Healthcare Security Risk Assessment Specialist, a leading expert and trainer in this field with over two decades of experience. Founder of Myla Training, Canada’s first dental online privacy and cybersecurity training platform, Anne collaborates closely with practice owners, managers, dental teams, and IT providers to ensure the safety of patients and practice data while enabling compliance with privacy regulations.