Dental Patient Data Breach: What to Do in the First 72 Hours (2026 Guide)

What Counts as a HIPAA Breach?

Not every security incident is a reportable breach. Under HIPAA, a breach is an impermissible use or disclosure of Protected Health Information (PHI) that compromises the security or privacy of that information.

The key legal test is the four-factor risk assessment that determines whether the impermissible disclosure poses a significant risk of financial, reputational, or other harm to the affected individual. If it does — or if you can't demonstrate that it doesn't — it's a reportable breach.

• Definitely a breach: Ransomware attack that encrypts patient files. Stolen laptop or device with unencrypted patient data. Employee accessing patient records for personal reasons. Sending patient records to the wrong person.
• May or may not be a breach (requires assessment): Misdirected fax with patient information. Email sent to wrong patient. Brief unauthorized access by an employee with no evidence of data extraction. Third-party vendor reporting a security incident.
• Likely not a reportable breach: Encrypted device that is lost (the encryption is a safe harbor under HIPAA). Workforce member accidentally viewing a record they didn't need to see but immediately logged out. Physical paper left visible briefly with no evidence of observation.

Hours 1–4: Contain and Document

Your first priority is containment — stopping any ongoing exposure. Your second priority, beginning simultaneously, is documentation.

• For ransomware or active cyberattack: Immediately disconnect affected systems from the network. Do NOT turn off affected computers (forensic evidence may be lost). Contact your IT provider. Do NOT pay any ransom without legal counsel.
• For stolen device: Determine what data was on the device and whether it was encrypted. If encrypted with a strong passphrase, document this — it may qualify for the safe harbor. If unencrypted, proceed as a breach.
• For misdirected records: Attempt to contact the recipient and request destruction. Document the attempt and their response. Note whether the recipient was another healthcare provider (lower risk) or a non-healthcare entity (higher risk).
• Document everything from minute one: Date and time of discovery. Who discovered it. What they observed. Actions taken. Every conversation about the incident.

Hours 4–24: Conduct the Four-Factor Breach Risk Assessment

Before you can determine whether notification is required, HIPAA requires you to conduct a documented four-factor risk assessment. This assessment must be in writing and retained for six years:

• Factor 1: Nature and extent of PHI: What type of PHI was involved? (Financial information and SSNs are higher risk than appointment dates.) How much data? What identifiers were included?
• Factor 2: Who accessed or could access the PHI: Was it an unauthorized person? Did they actually view the data, or just have theoretical access? Is there evidence of data exfiltration?
• Factor 3: Whether PHI was actually acquired or viewed: For cyberattacks, this is often unclear — document what you can determine. For theft, consider whether the device was password-protected.
• Factor 4: Extent to which risk has been mitigated: Did the recipient agree to destroy the information? Have you disabled compromised access credentials? Have you confirmed the exposure window is closed?

Hours 24–72: Determine Notification Requirements and Engage Counsel

Based on your four-factor assessment, you will determine whether the incident is a reportable breach. If the assessment cannot demonstrate low probability of compromise, it is a breach requiring notification.

At this stage, engage a HIPAA attorney or your compliance platform's breach response support — especially if more than 50 patients are potentially affected.

• Individual notification (required for all reportable breaches): Written notice to each affected individual within 60 days of discovery. Must include: description of what happened, PHI types involved, what you're doing to investigate, steps affected individuals can take to protect themselves, and contact information.
• OCR notification: For breaches affecting fewer than 500 individuals: report via the HHS OCR breach reporting portal within 60 days of the end of the calendar year in which the breach occurred. For 500+ individuals: report to OCR within 60 days of discovery.
• Media notification: If 500 or more residents of a state or jurisdiction are affected: notify prominent media outlets in that state within 60 days. This requirement surprises many practice owners — it's a real obligation, not optional.
• Business Associate notification: If your Business Associate (vendor) caused the breach, they must notify you. But you are ultimately responsible for notifying patients and OCR. Document all communications with the BA.

After the First 72 Hours: Investigation and Remediation

Once immediate containment and notification planning is underway, the focus shifts to full investigation and remediation.

• Conduct a thorough forensic investigation of how the breach occurred
• Identify and remediate the vulnerability that enabled the breach
• Update your Security Risk Analysis to reflect the new threat and your response
• Review and update your policies and procedures as needed
• Retrain all affected staff members
• Document all remediation actions with dates — OCR will review this if they investigate

What Not to Do After a Dental Data Breach

These mistakes consistently worsen outcomes in OCR investigations:

• Don't delay notification hoping the investigation will clear you: The clock runs from discovery, not from the end of your investigation. Delay is itself a violation.
• Don't destroy or alter any documents: Document retention obligations apply immediately. Destroying evidence — even accidentally — dramatically worsens OCR findings.
• Don't communicate without legal counsel for significant breaches: Statements made during breach response can become evidence. Have your attorney review any notifications before they go out.
• Don't pay ransomware without legal advice: Payment may violate US Treasury Department sanctions regulations if the attacker is on a sanctioned entity list. This is a real legal risk that practice owners often don't know about.
• Don't assume your IT company will handle OCR notification: They can assist with the technical investigation. You are the Covered Entity and you are responsible for patient and OCR notification.