An Attacker Was Inside Minnesota's Largest Medicaid Dental Practice for Two Weeks

In December 2024, Community Dental Care - Minnesota's largest nonprofit Medicaid dental practice - discovered an attacker had been inside their network for two weeks.

14 days might sound bad, but it's actually lucky.

The average healthcare breach takes 279 days to identify and contain. Almost an entire year of an attacker sitting inside your network, reading patient records, copying data, and waiting.

Community Dental Care found theirs at 14 days. The question every other dental office should be asking: would yours be found at all?

By the time they found out, 134,903 patient records were compromised. Names, Social Security numbers, passport numbers, medical information, and insurance data. The investigation to figure out what happened took over three months. A class action lawsuit was filed in April 2025.

Community Dental Care serves some of the most vulnerable patients in the Twin Cities. And their data sat exposed for two weeks before anyone noticed.

This Isn't Unusual

In January 2024, Park Dental and Dental Specialists of Minnesota - two of the largest dental groups in the state - reported that an unauthorized third party accessed employee email accounts for 12 days. 277,109 patients affected across dozens of Twin Cities clinics.

These aren't small incidents at obscure practices. These are the biggest dental providers in Minnesota.

Nationally, the numbers are worse:

• 725 large healthcare breaches reported to HHS in 2024
• 276-300 million patient records exposed
• Independent provider attacks rose sixfold between 2021 and 2024
• 55% of HIPAA enforcement fines are imposed on small practices

The Change Healthcare breach in February 2024 showed what happens when the infrastructure breaks: 192.7 million patients affected, $22 million ransom paid, $2.9 billion in total costs to UnitedHealth Group. The ADA reported that dental practices across the country couldn't submit insurance claims. Pharmacies couldn't process prescriptions. 80% of physician practices lost revenue. Nearly two-thirds of providers used personal funds to cover expenses.

A dental office doesn't need to be the one breached to feel the impact.

Why Dental Offices Are Vulnerable

Most dental practices have 5-15 employees. No IT department. No security team. HIPAA requires a risk analysis, but Westend Dental in Indianapolis proved what happens in practice: they never conducted one. When Medusa Locker ransomware hit in 2020, their servers were physically sitting in break rooms and bathrooms. No password policies. No staff training. They covered up the breach for two years. The Indiana AG fined them $350,000 in January 2025.

The typical dental office faces the same threats as a hospital - ransomware, phishing, credential theft - with a fraction of the defenses. HIPAA fines don't scale down for small practices. A Tier 4 violation (willful neglect, uncorrected) carries a minimum fine of $71,162 per violation, up to $2.13 million per year.

With SYNTEX for SMB $79/month per device for autonomous endpoint security, or risk a $350,000 fine, a class action lawsuit, and 134,000 patients finding out their Social Security numbers are on the dark web.

14 Days Was Lucky

Here's what most people don't realize about the Community Dental Care breach: 14 days is fast compared to what usually happens.

According to IBM's 2025 Cost of a Data Breach Report, the average healthcare breach takes 279 days from intrusion to containment. Mandiant's 2026 data puts espionage and data theft operations at a 122-day median before detection. And modern ransomware actors now move from initial access to lateral movement in under 29 minutes - some as fast as 27 seconds.

The attackers are getting faster. Detection isn't keeping up. And for a 10-person dental office with no security team, the gap between "attacker gets in" and "someone notices" can be measured in months, not days.

Community Dental Care's attacker was inside for 14 days. If they'd been the quiet kind - the ones who sit and collect data instead of encrypting everything - they could have been there for a year and nobody would have known.

We'll break down exactly why detection takes so long in healthcare in Part 2 of this series: The 279-Day Problem.

What Every Dental Practice Should Do Right Now

Even without buying any product - every dental practice in Minnesota should have, at minimum:

• MFA on every system that touches patient data
• Real-time endpoint monitoring (not just antivirus)
• A HIPAA risk analysis that's actually been conducted
• An incident response plan (Minnesota's 72-hour reporting law applies to healthcare too)

If Community Dental Care - the largest Medicaid dental provider in the state - couldn't detect an attacker for two weeks, what does your practice have in place?