As dental groups rush to adopt artificial intelligence, many are spending on tools no one uses and feeding patient data into platforms no one controls. The result is wasted budget, hidden liability, and growing security exposure.
In this episode of Dental Cyber Watch Live, Bill Neumann (CEO, Group Dentistry Now) sat down with Gary Salman (Co-founder and CEO, Black Talon Security) and Matthew McGaw (founder, DSO Compass; co-founder, Relay) to unpack the promise and peril of AI in dentistry. The clear message for DSOs of every size: AI is transformative, but only when paired with governance, training, and due diligence. Here are the key takeaways.
Watch Cyber Watch – LIVE – Episode 3:
Shadow AI: The Risk You Can’t See
Shadow AI is the unmonitored use of large language models — ChatGPT, Gemini, Claude — by employees without policy, oversight, or controls. Staff turn to these tools to work faster. The problem is that no one is watching what data goes in.
Salman described the scope at a recent DSO event with roughly 20 leaders, representing practices from 10 to 200-plus locations. Most reported a mix of LLMs already in use across their teams. Few had standard operating procedures governing what could be entered. Fewer still had any technology to monitor that activity.
The exposure is real. Information uploaded to a free model may be anonymized, but it can resurface when others ask similar questions.
“When the product’s free, you’re the product. They’re not doing you a favor.” — Gary Salman, Black Talon Security
For an organization handling protected health information, that is a compliance event waiting to happen. The fix doesn’t require shutting AI down — it requires structure: enable privacy settings so platforms don’t train on your data, write SOPs that define what can and cannot be entered, and train staff on why it matters.
The AI Graveyard: Paying for Tools No One Uses
The “AI graveyard” is where promising technology goes to die. It’s the software a DSO bought with enthusiasm, then abandoned because of poor implementation, failed training, low adoption, or clunky integration — while the subscription keeps billing.
McGaw pointed to two familiar culprits: “shiny object syndrome” and the “Hawaiian shirt guy effect,” where a charismatic salesperson wins the room and the product never fits the problem. Neumann offered a grounded example. Some automations at Group Dentistry Now worked well. Others proved clunky and were better handled manually.
A buried tool isn’t just a wasted subscription. It drains training hours, erodes staff confidence in future rollouts, and makes the next investment harder to champion. The escape route is unglamorous but reliable: plan, implement, and train before you scale. Roll out to a small group, confirm adoption, refine the workflow, then expand.
Design Backward, Build Forward
The smartest framing of the conversation came from a concept presented by Andy Farina, an assistant professor at the US Military Academy West Point, and guest speaker at the most recent Destination DSO event: design backward, build forward.
Most purchasing runs backward. A leader sees an exciting tool, then invents a reason to need it. McGaw captured the trap: “Sometimes the problem that they think they have to solve isn’t always the problem that is really the problem.”
Salman’s advice for separating substance from hype was blunt: “Stay away from the shiny penny and buy the gold.” Before any AI purchase, leaders should define the problem, set clear criteria for success, evaluate fit against those criteria, and only then buy.
Vendor Due Diligence — and Who’s Really Liable
Many DSO leaders misunderstand a critical point: under HIPAA, breach liability sits with the healthcare entity — the DSO — not the software or technology provider. Assuming the vendor carries that risk is a dangerous shortcut.
That makes cyber due diligence non-negotiable. Before signing with any AI vendor, ask:
- How do they access, store, and share data?
- Who, specifically, has access to it?
- What security measures protect it?
Salman’s larger point: security should be the first question in any technology evaluation, not the last. Too often it’s raised only after the contract is signed and the data is already flowing.
Building AI Securely
The throughline of the discussion was AI governance, risk, and compliance treated as a foundation, not an afterthought. For organizations handling patient data, that distinction separates innovation from exposure.
Leaders should expect real safeguards from any tool touching PHI: scrubbing confidential data like dates of birth, Social Security numbers, and patient health information on upload; annotating sources so answers can be traced; flagging possible hallucinations; and hashing files to protect their integrity. Pair those safeguards with disciplined implementation, and today’s investment doesn’t become tomorrow’s graveyard occupant.
Protecting What You’ve Built
AI is a genuine opportunity for DSOs willing to pair ambition with discipline. The risk isn’t the technology — it’s deploying it without control. Three steps to start now:
- Audit current AI usage to learn which tools your team uses and what data flows into them.
- Establish AI governance and SOPs before the next tool goes live.
- Make vendor security due diligence standard, with security as the opening question.
Is your DSO adopting AI faster than it can secure it? Get these fundamentals in place, and AI stops being a liability waiting to surface — and becomes the advantage it promised to be for your practice and your patients.
🚨 Recent notable healthcare cyber incidents:
Wellesley, MA-based DentaQuest, a dental benefits administrator that manages the benefits for 32 million Americans, has announced it is actively managing a cybersecurity incident involving unauthorized access to a limited part of its network. According to its website notice, immediate action was taken to contain and mitigate the threat, and the company is working with a leading cybersecurity expert, forensic investigators, and law enforcement authorities. If the data breach is confirmed as affecting 2.6 million individuals, it will rank as one of the largest healthcare data breaches of the year to date.
DentaQuest, part of Sun Life U.S. Dental, is the largest Medicaid and Children’s Health Insurance Program dental benefits administrator in the country, operating in 50 U.S. states. The company has yet to determine the exact scope of the incident and the extent to which sensitive data has been compromised. The company has promised to update clients and ensure that they receive information as quickly and transparently as possible.
Verber Dental Group PC, a dentist-owned dental network headquartered in Camp Hill, Pennsylvania, disclosed a data breach that occurred in January 2026. The investigation revealed that certain data may have been accessed or acquired without authorization between Jan. 26, 2026, and Jan. 27, 2026. To better understand the scope of the incident, Verber Dental engaged a third party to conduct a comprehensive review of all potentially affected files. The types of information compromised included both personally identifiable information and protected health information such as names, Social Security numbers, driver’s license or state identification numbers, dates of birth, medical records, and health insurance information.
The breach was reported to the New Hampshire Attorney General on May 8, 2026. Verber Dental additionally posted a notice of the incident on its website and began notifying affected individuals on May 7, 2026. The breach impacted a total of 8,598 individuals across the United States.
Emerging reports indicate that Access Dental & Orthodontics, with offices across Texas and in New Mexico, Illinois, and Indiana, may have suffered a data breach. A June 5, 2026 post on dark web scraping website Ransomware.Live indicates that threat actor Worldleaks has taken responsibility for the possible cyberattack, estimated to have occurred on the same day the post was made. The nature or scope of the information that may have been compromised in the reported Access Dental data breach is not yet known. Access Dental, which provides care to over 150,000 people annually, had not confirmed these reports at the time this post was made.
Bayside Dental, a dental practice with locations in Rowlett, Texas, and Anacortes, Washington, has experienced a cybersecurity incident. Unauthorized network access was identified on or around January 5, 2026, and the forensic investigation confirmed on March 13, 2026, that there had been unauthorized access to files containing patient data on January 5, 2026. While not described by Bayside Dental as a ransomware attack, the Sinobi ransomware group claimed responsibility and added Bayside Dental to its dark web data leak site. The group claims to have stolen 580 gigabytes of data in the attack, including files containing patient data. Patients should therefore ensure that they sign up for the credit monitoring services being offered.
Dental Cyber Watch is sponsored by Black Talon Security, the recognized cybersecurity leader in the dental/DSO industry and a proud partner of Group Dentistry Now. With deep roots within the dental and dental specialty segments, Black Talon understands the unique needs that DSOs and dental groups have when it comes to securing patient and other sensitive data from hackers. Black Talon’s mission is to protect all businesses from the devastating effects caused by cyberattacks—and that begins with a robust cyber risk mitigation strategy. To evaluate your group’s current security posture visit www.blacktalonsecurity.com.
Have a cybersecurity question or concern that you would
like addressed in future Dental Cyber Watch articles,
please email it to info@groupdentistrynow.com
