Blog
← Back to Blog
March 20, 2022 dental

A Dental Practice Paid $50,000 in Ransom. It Didn't Have To.

Dental practice devastated by ransomware attack and payment demand

A multi-location dental practice recently paid $50,000 in Bitcoin to a ransomware gang. The entire incident was preventable. Three specific security gaps, any one of which being addressed would have stopped the attack, were all present simultaneously.

We're sharing this case study (with details changed to protect the practice) because the failures are so common and so preventable.

What Happened

The attack chain:

  1. An attacker used credentials from a previous breach to access the practice's VPN (Gap #1: no MFA on VPN)
  2. Once inside the network, the attacker moved laterally to the Dentrix server using shared admin credentials (Gap #2: shared admin passwords across all machines)
  3. The attacker deployed ransomware that encrypted the Dentrix database, imaging files, and the backup NAS (Gap #3: backup was on the same network with no air gap)

The practice was completely locked out of patient records, schedules, imaging, and financial data across all locations. No backup was recoverable. After five days of being unable to see patients or process claims, they paid the ransom.

Gap #1: No MFA on VPN

The VPN used a username and password that was found in a data breach. The same password was used on multiple services. If MFA had been enabled, the stolen password would have been useless. Cost to implement MFA on the VPN: approximately $0 (most VPN solutions include MFA capability).

Gap #2: Shared Admin Credentials

Every machine in the practice used the same local administrator password. Once the attacker had access to one machine, they had admin access to all of them. The server, the workstations, the backup NAS. Unique local admin passwords (easily managed with Microsoft LAPS, a free tool) would have contained the breach to the initial machine.

Gap #3: Backup on the Same Network

The NAS backup was on the same network segment as the server, with mapped drives accessible from any workstation. The ransomware encrypted the backup along with everything else. A cloud backup or an air-gapped local backup would have provided a recovery path without paying the ransom.

The Cost

  • Ransom payment: $50,000
  • Forensic investigation: $15,000
  • Five days of lost revenue (3 locations): approximately $75,000
  • System rebuilding and hardening: $20,000
  • HIPAA breach notification: $5,000
  • Cyber insurance premium increase: $8,000/year ongoing
  • Total first-year cost: approximately $173,000

The cost to prevent it: MFA ($0), LAPS ($0), cloud backup ($200/month). About $2,400 per year.

$2,400 in prevention vs. $173,000 in damage. The math writes itself.

Don't be this practice. Fix the three gaps today.