Cybersecurity Incidents Reported by Multiple Dental Practices
Data breaches have been announced by several dental practices: Bayside Dental (TX/WA), Aldrich Pediatric Dentistry (IN), Stafford Oral Surgery (VA), Garrisonville Dental (VA), and Drs. Abdelbaky, Boes, Cameron & Associates of Wake Forest and Cary Park (NC).
Bayside Dental
Bayside Dental, a dental practice with locations in Rowlett, Texas, and Anacortes, Washington, has experienced a cybersecurity incident. Unauthorized network access was identified on or around January 5, 2026, and the forensic investigation confirmed on March 13, 2026, that there had been unauthorized access to files containing patient data on January 5, 2026.
Data potentially viewed or obtained in the incident included full names, dates of birth, Social Security numbers, medical treatment information, medical diagnostic information, prescription information, patient numbers, health insurance information, health insurance plan beneficiaries, and dates of service. Bayside Dental determined that the protected health information of up to 10,216 patients was potentially compromised in the incident. Bayside Dental has offered the affected individuals complimentary single-bureau credit monitoring, credit score, and credit report services for 12 months.
While not described by Bayside Dental as a ransomware attack, the Sinobi ransomware group claimed responsibility and added Bayside Dental to its dark web data leak site. The group claims to have stolen 580 gigabytes of data in the attack, including files containing patient data. Patients should therefore ensure that they sign up for the credit monitoring services being offered.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Aldrich Pediatric Dentistry
Aldrich Pediatric Dentistry in Indianapolis, IN, has also recently announced the exposure of patient data as a result of an email incident. On February 26, 2026, the practice learned that an employee’s email account was compromised on January 16, 2026, as a result of a response to a phishing email on January 16, 2026. The account was immediately secured, and an investigation was launched, which confirmed that the account contained the protected health information of 5,900 individuals.
Data potentially obtained in the attack included names, addresses, email addresses, telephone numbers, dates of service, procedures, and insurance information. Social Security numbers and financial information were not involved. The practice has implemented additional security measures to strengthen email security, and notification letters were mailed to the affected individuals around April 24, 2026.
Vendor Incident Affects Multiple Dental Practices
Several dental practices have recently disclosed data breaches involving a third-party vendor. The practices were contacted by the unnamed vendor on March 19, 2025, and were informed that limited patient data had been accessed by an unauthorized individual in a security incident. The vendor identified the unauthorized access on October 24, 2025, and the forensic investigation confirmed that some of the vendor’s email accounts and files were accessed between October 15 and October 23, 2025, as a result of a phishing attack.
The investigation found no evidence to suggest that the unauthorized third party accessed or copied any files containing patient information; however, unauthorized data access and acquisition could not be ruled out. The breach was limited to the vendor’s email accounts and associated files. There was no unauthorized access to patient medical or dental records. The compromised data varied from individual to individual and may have included names, addresses, dates of birth, medical information, health insurance information, and Social Security numbers. The affected individuals have been notified by mail and offered complimentary credit monitoring and identity theft protection services.
The HIPAA Journal has not yet been able to confirm how many dental practices have been affected; however, the following dental practices have issued breach notices confirming that patient data was potentially compromised in the incident.
| Dental Practice | Affected Individuals |
| Stafford Oral Surgery, Virginia | 7,019 |
| Garrisonville Dental, Virginia | 5,204 |
| Drs. Abdelbaky, Boes, Cameron & Associates of Wake Forest, North Carolina, d/b/a Triangle Family Dentistry | 908 |
| Drs. Abdelbaky, Boes, Cameron & Associates of Cary Park, North Carolina, d/b/a Triangle Family Dentistry | 547 |
Spate of Attacks on Dental Practices
There has been a spate of data breaches reported by dental practices recently, including Bridle Trails Family Dentistry in Washington (20,976 individuals), Verber Dental Group PC in New York (8,598 individuals), Bronsky Orthodontics in New York (3,183 individuals) – covered here, and Totem Lake Family Dentistry in Washington (3,464 individuals). Apart from the Verber Dental Group data breach, these incidents involved unauthorized access to email accounts.
Dental practices should ensure that they set strong, unique passwords for employee email accounts, protect accounts with multifactor authentication, implement an email security solution, and provide security awareness training to the workforce to raise awareness of phishing and social engineering.
