DSO RESOURCE GUIDE

When “Help” Becomes a Hacker’s Weapon: How Scattered Spider and DragonForce Are Breaching Healthcare Offices

Scattered Spider and DragonForce breach

Posted By: GroupDentistryNow November 19, 2025

The New Frontline in DSO Cybersecurity

All healthcare offices face relentless cyber threats, but not all attacks begin with technical exploits or sophisticated malware. Increasingly, cybercriminals are taking advantage of something much more ordinary: remote support tools and human trust.

Two threat groups, Scattered Spider and DragonForce, have emerged as 2 of the most prolific ransomware gangs who are leading examples of this new wave. They are infiltrating healthcare environments not by hacking firewalls, but by installing or hijacking remote access software such as SimpleHelp and LogMeIn. Both are tools many offices already use daily for legitimate IT support.

The result: attackers gain trusted, full access entry into healthcare systems, often without triggering alarms such as endpoint detection and response (EDR).

Scattered Spider and DragonForce breach

Who Are Scattered Spider and DragonForce?

Scattered Spider: The Master Manipulators

Scattered Spider (also called UNC3944) is notorious for its social-engineering expertise. Instead of exploiting technical vulnerabilities, its members excel at tricking real people. They impersonate IT help-desk staff or vendors. They call, text, or email employees pretending to be from tech support or leadership. They convince someone to reset a password, approve a login, or disable multifactor authentication (MFA), effectively opening the door for them. Once inside, they move through systems, collect credentials, and deploy ransomware and/or steal sensitive data.

For DSO organizations where IT staff are constantly under pressure to “keep things working” for healthcare teams, these tactics are especially effective. Attackers exploit urgency, empathy, and trust to override security instincts.

DragonForce: The Remote-Access Hijackers

While Scattered Spider targets people, DragonForce targets technology. Remote monitoring and management (RMM) tools are their favorite targets.

DragonForce has been linked to attacks exploiting the SimpleHelp remote support platform, often used by Managed Service Providers (MSPs) that manage IT for multiple clinics. Once the group compromises a SimpleHelp server, they can spread ransomware through the MSP’s access into all connected client networks.

Since mid-September of this year the team at Black Talon Security has received numerous requests from healthcare organizations to assist them with recovery after falling victim to this specific methodology. The consequences have been debilitating and expensive for all these targeted groups.

In mid-2025, CISA (the U.S. Cybersecurity and Infrastructure Security Agency) issued an alert about unpatched SimpleHelp vulnerabilities being weaponized in supply chain attacks. DragonForce has also been seen experimenting with similar tactics against LogMeIn-style remote-support tools, which are common across DSO organizations.

In short: DragonForce doesn’t need to break into your clinic directly, they can ride in through your vendor’s / MSP’s remote access system.

Healthcare as a cyber target

Why Healthcare Is Such an Appealing Target

Healthcare data is some of the most valuable and vulnerable in existence. Electronic health records contain personally identifiable information (PII), insurance details, and sensitive medical histories. A single patient file can sell for up to 50 times more than a stolen credit card number.

But beyond profit, there’s pressure. DSOs can’t afford extended downtime. A ransomware event can completely paralyze practices, making senior management far more likely to pay ransoms quickly. Attackers know this. They combine speed, social engineering, and remote tool abuse to hit healthcare organizations where it hurts most.

Several factors make healthcare especially at risk:

  • Outsourced IT management: Many organizations rely on MSPs using tools like SimpleHelp or LogMeIn. No MFA requirement and persistent access are a hacker’s dream. (Remote tools often stay connected for convenience, creating continuous exposure).
  • Legacy systems: Older dental software systems may not support strong authentication or network segmentation.
  • Human urgency: Help desk teams in healthcare face nonstop pressure to restore access quickly, sometimes at the expense of verification.

How These Breaches Happen

Let’s walk through what a real-world attack might look like in plain terms:

1. The Setup:

A clinic’s MSP runs SimpleHelp to manage its computers remotely. The MSP doesn’t realize its SimpleHelp server is outdated and exposed online.

2. The Breach:

DragonForce scans for vulnerabilities in SimpleHelp software, finds the MSP’s server, and exploits the flaw. They gain administrator level access.

3. The Spread:

Using that remote tool, the attackers connect into each client’s network as though they were legitimate IT staff.

4. The Damage:

They deploy ransomware, steal patient data, and encrypt key systems. Within minutes, the clinic loses access to scheduling, billing, and medical records.

5. The Cover:

Meanwhile, Scattered Spider might simultaneously run a social-engineering campaign, calling the clinic’s helpdesk to “verify” remote access or bypass MFA further cementing their foothold.

By the time the attack is detected, the attackers have already exfiltrated sensitive information and encrypted all data. The result is operational chaos, potential regulatory fallout (HIPAA), a complete halt to all business continuity and a potential class action suit.

Scattered Spider and DragonForce breach

Recognizing the Warning Signs

Even without deep technical knowledge, healthcare leaders can learn to spot danger early. Here are red flags worth watching for:

  • Remote support sessions appearing outside normal hours or from unknown devices.
  • Sudden requests to “reset” MFA or passwords via phone or chat.
  • Vendors or technicians asking for new or temporary remote access credentials.
  • Unexplained installations of SimpleHelp, LogMeIn, or similar tools on staff computers.
  • Staff receiving suspicious “verification” calls from supposed IT providers.

When in doubt, pause and verify directly through a known contact or secondary communication channel.

Five Practical Steps to Reduce Risk

You don’t need to be a cybersecurity expert to improve resilience. These straightforward actions can dramatically reduce your exposure:

Audit remote access tools

1. Ask your IT provider:

  • Which remote tools (SimpleHelp, LogMeIn, etc.) are in use?
  • Are they patched and up to date?
  • Are sessions logged and reviewed?
  • Only allow remote tools that support multifactor authentication and session recording.

2. Lock Down Vendor Access

Require vendors and MSPs to use:

  • Least-privilege accounts (access only what they truly need).
  • Time-limited access (e.g., only during maintenance windows).
  • Unique credentials per client (never reused across sites).

3. Train Help Desk and Frontline Staff

Social engineering only works when people are unprepared. Train staff to verify all callers claiming to be from IT or vendors. Call back through a known company number before resetting passwords. Treat every “urgent” access request as suspicious.

4. Implement an Email Security Service and Managed Detection & Response

Relying on basic email security from Microsoft and Google is no longer sufficient. Utilize AI based email security systems that scan every incoming email and attachment. Ensure that the Endpoint Detection and Response (EDR) system that you have deployed is monitored 24/7 by trained security professionals. EDR is a great tool but it’s most effective when a trained human security professional is available to respond to all alerts coming from EDR. This is particularly important overnight and on weekends.

5. Plan for Rapid Response

Have a clear incident response plan:

  • Who to call: Insurance Company, Legal Representative, Cybersecurity Provider (if you work with one), IT Company
  • Conduct tabletop exercises so everyone knows their role before an incident occurs.

Cybersecurity

A Culture of Verification and Vigilance

Cybersecurity isn’t just an IT responsibility anymore; it’s an operational imperative.

Every receptionist, helpdesk worker, or office manager who picks up a phone is now part of the security perimeter.

If someone calls asking for access, verification, or “help,” the right response is to trust but verify. This one pause can be the difference between a harmless request and a full-scale breach.

Reach out to the team at Black Talon Security for further guidance or to learn more about how to protect your DSO from this latest wave of cyber threats.

AI Webinar

🚨 Recent notable healthcare cyber incidents:

Mid America Health (MAH), which provides dental and healthcare services to state and federal governments, has reported a data breach potentially affecting individuals’ personal information. While not much is currently known about the data breach, the compromised information reportedly includes first and last names, Social Security numbers and financial account information. On August 4, 2025, the Mid America Health data breach was reported to the Massachusetts Office of Consumer Affairs and Business Regulation. Letters are now going out to individuals affected by the incident.

First Choice Dental has agreed to pay $1,225,000 to settle a class action lawsuit over an October 2023 cyberattack that allegedly compromised private patient information. The First Choice Dental class action settlement received preliminary approval from the court on September 30, 2025, and covers all individuals in the United States whose private information was implicated during the October 2023 data incident. Per court documents, about 159,145 people are covered by the class action settlement. The court-approved website for the First Choice Dental data breach settlement can be found at https://www.FCDGDataSettlement.com/.

Central Jersey Medical Center, Inc. (“CJMC”) recently suffered a data breach that compromised the sensitive personal and protected health data of individuals. On August 25, 2025, an external threat actor gained unauthorized access to CJMC’s dental server network and installed ransomware to successfully encrypt files on the network. Upon learning of the attack, CJMC launched an investigation to determine the scope and nature of the incident.

The investigation revealed that the unauthorized party may have accessed and/or acquired sensitive personal and protected health information during the breach. On or around October 23, 2025, a breach notification was posted to the CJMC website. Compensation may be available for those individuals who receive notice that their sensitive personal information was compromised.

Dental Cyber Watch is sponsored by Black Talon Security, the recognized cybersecurity leader in the dental/DSO industry and a proud partner of Group Dentistry Now. With deep roots within the dental and dental specialty segments, Black Talon understands the unique needs that DSOs and dental groups have when it comes to securing patient and other sensitive data from hackers. Black Talon’s mission is to protect all businesses from the devastating effects caused by cyberattacks—and that begins with a robust cyber risk mitigation strategy. To evaluate your group’s current security posture visit www.blacktalonsecurity.com.

DSO cybersecurity

Have a cybersecurity question or concern that you would
like addressed in future Dental Cyber Watch articles,
please email it to info@groupdentistrynow.com

group dentistry now subscribe

Facebooktwitterlinkedinmail
SHARE
TWEET
PIN
SHARE