My Systems Are Compromised, Now What?

by Julian Perez, Chief Legal Officer at dentalcorp; Jeff Forbes, dentalcorp’s Chief Technology Officer


Cybercrime poses an increasingly serious threat to dental clinics. If patient data has been impacted by a cyber-attack (such as a ransomware event), it may be impossible to provide dental treatment safely. If a dental office’s IT systems or procedural defences fail, knowing how to react to a cyberattack becomes vitally important.

Hoping for the best, preparing for the worst: what to do if you are hit with ransomware.

The inconvenient truth is that cybercrime poses an increasingly serious threat to dental clinics. The statistics startle: for example, 61% of Canadian organizations surveyed reported being affected by a ransomware attack in 2021.1 When other varieties of cyber-attacks are considered, like (spear) phishing and malware, a shocking 86% of Canadian companies reported being compromised (in 2021 alone) by at least one successful attack. And dental offices, which are legally required to maintain sensitive patient information for years, make attractive targets for networks of cybercriminals (also known as “threat actors”).

There is no shortage of sobering statistics. Terrifying case studies also abound. Recently, to provide just one example, a Canadian children’s hospital could not access its pediatric patients’ records due to cyber-attacks.2 Cybercrime, which began as a cottage industry, is big business today. Over the last few years, a variety of sophisticated criminal organizations have emerged, some of which boast about “business models” specifically targeting healthcare institutions.3

The dental profession has tools at its disposal. Resources on how to manage cyber risk exist and specifically address how to prevent the most common cyber-attacks. The U.S. (United States) Government’s Cybersecurity and Infrastructure Security Agency (CISA) provides one guidebook.4 Should that sound daunting, many articles (written in layperson’s language) list current best practices for dental offices, such as implementing endpoint detection and response (EDR) in conjunction with a managed security service provider (MSSP).5 Prevention is undoubtedly the best strategy, and we urge every dental office owner and operator to review and consider the information provided in such resources. Dental offices do not need to be cybercrime experts; however, teams that fail to do their homework will not have any way to tell whether their current IT partner is doing an adequate job in preparing for and preventing an eventual cyber-attack.

Indeed, custodians of patient records, and those who depend on the successful running of a dental practice, must prepare for the worst. Should a dental office’s defences fail or prove inadequate against evolving cyber threats, knowing how to react becomes vitally important. An effective response to ransomware will protect the clinic’s patient information, operational viability, and the healthcare professionals’ reputation. Should you arrive at your clinic one morning and find that your files have been encrypted, the steps below will help guide you:

1. Establish the scope of the threat and isolate it.

Not every cyber-attack is created equal. Depending on the point of entry and mechanism of the malware that has infected your systems, the impacted information may be localized to one or a group of workstations. On the other hand, threat actors and their technologies will attempt to compromise and infect any connected networks, servers, and workstations. Therefore, ensuring that system backups are quarantined from the office’s leading network is mission-critical. When malware is discovered, the first order of business is to get a handle on the scope of the issue and prevent the virus from spreading. A worst-case scenario would be to mistakenly believe that the virus has been isolated, only to find out that it was dormant somewhere else in the network and has now infected the backup. To ensure this situation does not worsen, the first call should be to the clinic’s IT services provider and cybersecurity support personnel.

2. Address any clinical risks.

If a ransomware event has impacted patient data, it may be impossible to provide dental treatment safely. For example, if the office does not have access to patient’s medical histories, treatment plans and diagnostic imaging, the risk of proceeding with invasive dental surgeries would be significantly increased. When this occurs, there may be no option other than to delay non-urgent interventions or to arrange for patients to be seen at other offices. Although deciding to reschedule patients is difficult, the dentist must put the patient’s best interests front and center. If there are any doubts about whether patients can be safely treated under such circumstances, contacting an expert in dental risk management, the advisory service at your provincial dental association or a representative from your dental regulatory body would make sense.

3. Determine if patient privacy was breached.

One might assume that every successful ransomware attack in a dental office constitutes a breach of patient privacy; however, this is not always the case. It is quite possible that an office’s practice management system (PMS) could be locked or encrypted by a ransomware virus without any of that patient data being accessed or exfiltrated (digitally extracted) by the threat actors. Many ransomware schemes charge paralyzed dental practices a fee for the decryption code, which unlocks the affected documents and allows the clinic to regain access to its patient records. Your IT provider should review your firewall logs to determine which servers and workstations had data exfiltrated. It is important to remember that even if your practice management system was not compromised or exfiltrated, it may be possible that patient information, such as names and addresses, may reside on your workstations or other file servers. If no patient data was breached and the clinic has a viable backup, it may be possible to get back up and running unscathed.

4. If data was breached, contain the breach and implement a breach response protocol.

The Information and Privacy Commissioners (IPC) in several provinces have published Privacy Breach Guidelines for healthcare providers and companies. According to these guidelines, when patient privacy has been breached, “it is best practice to inform affected individuals and the IPC.” When the number of patients whose data has been impacted is small and discrete, a dentist or dental officer operator could follow the guidelines provided by the IPC. When hundreds or thousands of charts have been affected, promptly contacting a privacy lawyer would be wise. Failing to notify the necessary persons and stakeholders, which may include the provincial regulatory body and police, or doing so inadequately can lead to a whole new crisis. Note that the RCMP regularly monitors cybercriminals’ web presence. And since such organizations often announce the identities of the companies they have compromised, the police may become aware of the breach before the clinic ever contacts them. Legal and public relations experts offer invaluable services to businesses going through such a crisis for the first time. It is essential not to go it alone in such situations.

5. To pay the ransom or not?

In situations where threat actors have stolen patient data, they may demand a “double ransom” or payment in exchange for a promise not to publish the clinic’s patient records on the dark web. This has become increasingly common and puts dental offices in an exceedingly tricky predicament. On the one hand, paying the ransom means funding a malicious criminal organization and teaching the threat actors that targeting dental offices pays. Conversely, a healthcare business is expected to do everything it can to prevent its patients’ records from being published online. As mentioned above, consulting with a privacy lawyer is well advised. Additionally, third-party agencies employ cyber-security experts and digital forensic professionals who have conducted extensive research into the big players in the ransomware world. Such organizations can assist with negotiating for the destruction of stolen patient data. They may be able to advise which ransomware collectives are known for “honour among thieves,” i.e., has a reputation for destroying ill-gotten information upon receiving payment. Notifying patients should be considered whenever data is exfiltrated. If a clinic chooses not to pay the ransom and patient data is published, ethically, the dental clinic would be expected to notify the impacted individuals. Depending on the data leaked it may be wise to provide them with protection against identity theft.

6. Complete the investigation and prevent future attacks.

Once the emergency portion of the cyber-event has passed, several steps remain to close the loop. Now is the time to complete a more extensive investigation into how the malware was able to penetrate the office’s defence systems and to fix any gaps in the clinic’s technologies or processes. Finger-pointing is not the purpose of this exercise, but it is fair to ask whether the IT support you received before and during the attack could have been better. Training for office personnel on how to avoid phishing schemes or downloading viruses should be part of the remedial plan; indeed, cybersecurity training for healthcare workers should be provided periodically and included in onboarding new team members. Once a clinic is up and running again, it may be tempting to put the matter in the past and hope lightning does not strike twice. This is an understandable but mistaken impulse. The IPC advises that while proactively reporting incidents may not be mandatory, “it is a good idea to prepare a privacy breach investigation report,” which identifies “the root and contributing causes of the incident.”6 Analyzing such investigations and the resulting root cause is instrumental in helping a clinic prevent future attacks.

7. Ensure patient health information is stored in an appropriate location and only once.

Finally, clinic management should consider how it handles patient health information. Documents with patient health information should be stored in the PMS and nowhere else. Temporary working documents containing patient health information (e.g., AR reports) should be deleted after use. Report letters from specialists, for example, should be uploaded to the PMS document center for the relevant patients and destroyed. The more places patient health information resides, the greater the risk.


  1. Cyberedge Group, 2021 Cyberthreat Defense Report,
  2. Ransomware attack delays Toronto’s SickKids lab results, systems could be offline for weeks, December 22, 2022, Global News:
  3. Royal & BlackCat Ransomware: The Threat to the Health Sector January 12, 2023, Health Sector Cybersecurity Coordination Center,
  4. Ransomware Guide,
  5. How dentists can protect themselves from the cyberattack epidemic, Chris Jordan, July 7, 2021

About the Author

Julian Perez is Chief Legal Officer at dentalcorp, where he oversees legal, regulatory compliance, corporate governance and enterprise risk functions to support practices in the delivery of optimal patient care. He earned his bachelor’s degree from Yale University and a JD from Columbia University’s School of Law.

Jeff Forbes, dentalcorp’s Chief Technology Officer, oversees the company’s technology portfolio, leading the strategy and delivery of IT operations and digital platforms. Jeff has extensive experience in technology implementation and digital strategy. He holds a Bachelor of Information Systems specializing in ERP systems from St. Francis Xavier University.