The Cybersecurity Illusion: Why Dental Organizations Feel Safer Than They Are

For many Dental Service Organizations (DSOs), cybersecurity feels “handled.” There is either an internal or external IT resource managing devices, antivirus software installed across endpoints, a firewall in place, and perhaps an annual risk assessment completed for compliance purposes. Leadership teams often assume these measures equal protection.

Unfortunately, that confidence is frequently an illusion.

Across healthcare, and especially within rapidly growing multilocation dental organizations, cybercriminals are exploiting a dangerous gap between perceived security and actual security readiness. The result is a rising number of ransomware incidents, business email compromise attacks, credential theft, and operational shutdowns that cripple organizations financially and operationally.

The harsh reality is that most DSOs are not truly operating with a cybersecurity strategy. They are operating with IT support and periodic compliance checklists. Those are not the same thing.

Modern cyber threats move continuously. Attack surfaces change daily. Employees unknowingly create risk every hour. New vulnerabilities emerge constantly across cloud applications, remote access systems, imaging platforms, vendors, and third-party integrations. Yet many DSOs still rely on point-in-time security scans or annual assessments that provide nothing more than a temporary snapshot of risk.

A security scan conducted in January does not protect an organization in March. An annual assessment does not stop a phishing attack next week. Cybersecurity is not a one time, quarterly or monthly event. It is an ongoing operational discipline.

This is why Continuous Threat Exposure Management (CTEM) has become increasingly important for healthcare organizations and DSOs. CTEM shifts cybersecurity away from static assessments and toward continuous visibility, validation, prioritization, and remediation of real-world exposure. Instead of asking, “Were we secure when the assessment was completed?” CTEM asks, “What exposures exist right now, and how quickly can we identify and reduce them before attackers exploit them?”

That distinction is critical.

Point-in-time scans are inherently flawed because environments change too quickly. New locations are added. Vendors connect remotely. Employees reuse passwords. Cloud applications are adopted without oversight. Devices fall behind on patches. Security settings drift over time. Attackers specifically look for these small gaps because they know most organizations are not monitoring continuously. Cybercriminals are not targeting organizations once a year. They are probing for weaknesses every single day.

Many DSOs also underestimate how sophisticated modern attacks have become. Threat actors no longer rely solely on “Loud” ransomware deployment. Today’s attackers frequently use legitimate tools and stolen credentials to blend into normal activity. They exploit trusted accounts, remote access software, email conversations, and cloud applications to move quietly within environments for weeks before being detected.

Traditional IT providers are often not equipped to identify or stop these threats.

This is not an attack on IT professionals. IT teams play an essential role in keeping organizations operational. Their focus is typically infrastructure availability, user support, device management, software deployment, connectivity, and business continuity. Cybersecurity, however, is a specialized discipline requiring entirely different expertise, tools, methodologies, and operational focus.

Expecting an IT provider to fully defend a modern DSO against advanced cyber threats is similar to expecting a general practitioner to perform highly specialized Orthognathic surgery. There is overlap, but the expertise required is fundamentally different. This misunderstanding is one of the primary reasons DSOs continue to experience breaches.

Cybersecurity requires continuous monitoring, threat hunting, exposure validation, incident response readiness, identity protection, security awareness conditioning, attack surface reduction, and proactive detection engineering. Most IT firms simply are not structured to provide that level of dedicated security oversight.

One of the most overlooked risks within DSOs is the assumption that the same IT provider responsible for managing systems will objectively identify and report their own security shortcomings. In many organizations, leadership depends entirely on the IT provider to explain where vulnerabilities exist, what protections are missing, and whether the environment is truly secure. That creates a dangerous conflict of interest “Essentially the cybersecurity equivalent of the fox guarding the hen house”.

If the organization responsible for maintaining the environment is also the sole party evaluating its effectiveness, who is watching the watcher? True cybersecurity oversight requires independent validation, continuous exposure assessment, and specialized security expertise capable of identifying gaps that traditional IT operations may overlook, underestimate, or in some cases, not even recognize.

DSOs face particularly high risk because of their complexity. Multilocation environments create expanded attack surfaces across clinics, imaging systems, centralized billing operations, cloud-based practice management platforms, remote users, vendors, and acquisitions. Every additional location introduces new devices, users, workflows, and potential vulnerabilities.

Private equity growth strategies can further increase exposure. Rapid expansion often prioritizes operational integration over cybersecurity maturity. New acquisitions may inherit outdated systems, weak credential practices, unsupported devices, or inconsistent security controls. Attackers recognize this and increasingly target healthcare organizations undergoing rapid growth or consolidation.

The operational consequences of a breach can be devastating. A ransomware attack against a DSO does not simply affect IT systems. It disrupts patient scheduling, imaging access, treatment planning, billing operations, insurance verification, communication systems, and provider productivity. In some cases, organizations are forced to cancel appointments across dozens of locations simultaneously and the toal loss of business continuity typically lasts anywhere from 7–14 business days.

The financial damage is significant, but the reputational damage can be even worse. Patients trust healthcare organizations with highly sensitive information. Once that trust is compromised, rebuilding confidence becomes extremely difficult.

The solution is not more fear. The solution is realism.

DSOs must move beyond the illusion of security created by periodic assessments and basic IT management. Cybersecurity must become continuous, specialized, and proactive. Organizations need real time visibility into exposure, ongoing validation of defensive effectiveness, and dedicated cybersecurity expertise focused exclusively on reducing risk before attacks occur.

CTEM provides the framework for this shift. It acknowledges that no environment remains static and no single assessment can guarantee security. Continuous monitoring and continuous improvement are no longer optional for healthcare organizations operating in today’s threat landscape.

The organizations that recognize this reality early will be far more resilient than those still relying on outdated assumptions about what it means to be protected. In cybersecurity, feeling safe and actually being safe are two very different things.

---

🚨 Recent notable healthcare cyber incidents:

Verber Dental Group PC (“Verber Dental”) is providing notice of a recent data security incident that may have involved personal and/or protected health information. On January 27, 2026, they identified unusual activity within their network. Their forensic investigation determined that certain data may have been accessed or acquired without authorization in connection with this incident between January 26, 2026 – January 27, 2026.  On May 7, 2026, they mailed letters by United States First Class mail to all individuals with an available mailing address whose information could have been involved and provided resources to assist them.

---

Absolute Dental Group has agreed to a $3,300,000 settlement to resolve a class action lawsuit that alleged the dental practice chain failed to protect the private information of patients and employees from a data breach that occurred between February and March 2025.

The $3.3 million Absolute Dental Group class action settlement received preliminary approval from the court on March 10, 2026. The deal covers all living, natural United States residents whose personal information was potentially compromised during the data breach, including all who were sent notice of the incident. Court documents state that approximately 1,223,437 people are covered by the class action settlement.

---

Bayside Dental, a dental practice located at 3001 Commercial Ave. in Anacortes, Washington, disclosed a cybersecurity incident that has impacted 9,683 Washington residents. The breach was reported to the Massachusetts Office of Consumer Affairs and Business Regulation, the New Hampshire Attorney General and to the Washington Attorney General. On or about Jan. 5, 2026, Bayside Dental detected unauthorized access to its network.

A ransomware group known as Sinobi claimed responsibility for the attack in a posting on the Tor dark web network on Jan. 21, 2026. The group stated it had obtained 580 gigabytes of Bayside Dental’s data, including customer information, contracts and incident records, and threatened to publish the data within 10 to 11 days.

---

The state of New York fined dental insurance underwriter Delta Dental $2.25 million after investigating the company’s response to the mass exploit of a zero-day vulnerability in Progress Software’ MOVEit file transfer application. Delta Dental is one of thousands of organizations caught up in the blast radius of an automated 2023 Memorial Day hack that took advantage of a SQL injection zero-day discovered by Russian-speaking cybercriminal group Clop (see: Hackers Exploit Progress MOVEit File Transfer Vulnerability).

An April 29 consent order between New York Department of Financial Services, Delta Dental of New York and parent company Delta Dental Insurance shows that the company calculates that hackers stole approximately 60,000 files. Those files contained a range of data, including insureds’ names, addresses, Social Security numbers, driver’s license, financial account information and patient health information.

Regulators concluded that Delta Dental violated several sections of the state’s cybersecurity regulations. That includes requirements to secure dispose nonpublic information no longer necessary for business operations, and to have a cyber incident reporting plan.

---

Dental Cyber Watch is sponsored by Black Talon Security, the recognized cybersecurity leader in the dental/DSO industry and a proud partner of Group Dentistry Now. With deep roots within the dental and dental specialty segments, Black Talon understands the unique needs that DSOs and dental groups have when it comes to securing patient and other sensitive data from hackers. Black Talon’s mission is to protect all businesses from the devastating effects caused by cyberattacks—and that begins with a robust cyber risk mitigation strategy. To evaluate your group’s current security posture visit www.blacktalonsecurity.com.