The Dental Ransomware Recovery Playbook

Ransomware against dental practices is no longer a rare event. Healthcare ransomware rose roughly 58% in 2025, with about 636 attacks recorded, and dental and other secondary-care providers made up roughly 26% of them . The practices that come through it fastest are not the ones with the biggest budgets. They are the ones that follow a written sequence instead of reacting in panic. This is that sequence: a numbered playbook you can run from the moment you suspect an attack to the day you reopen hardened.

Print it, store a copy off the network, and read the companion piece on what happens in the first hour of a ransomware attack so your team rehearses the opening moves before they ever need them.

Step 1: Isolate, don't power off

Disconnect every affected machine from the network the instant you see a ransom note, encrypted files, or renamed extensions, but do not shut anything down. Pull the ethernet cable, disable Wi-Fi, and unplug the office from the internet at the router. Powering off destroys volatile evidence in memory that an investigator can use to identify the strain and the entry point, and in some cases it triggers further encryption on reboot. Isolation stops the spread to other operatories, the server, and any connected imaging stations while keeping the scene intact.

Step 2: Preserve evidence before you clean anything

Resist the reflex to delete the ransom note or start wiping machines. Photograph the ransom screen, record the file extension the attacker used, note the time you first saw symptoms, and leave the affected disks untouched. Your cyber-insurance carrier and any forensic team will need this. If you destroy evidence, you can jeopardize both an insurance claim and the investigation that tells you whether patient data was actually exfiltrated, which directly drives your notification duties later.

Step 3: Notify your incident-response contact, MSP, and insurer

Call your incident-response lead or managed service provider, your cyber-insurance carrier, and legal counsel before taking further technical action. This is the step practices most often skip, and it is the most expensive to skip. Cyber-insurance policies frequently require you to use their approved responders, and acting first can void coverage. Counsel helps you handle the matter under privilege and frame your HIPAA obligations. Your MSP or recovery partner coordinates the actual restore. Make these calls from a phone or a device that is not on the compromised network.

Step 4: Assess the scope

Work with your responders to map exactly what was hit: which workstations, which servers, the practice-management database, the imaging archive, and whether any data left the building. Scope determines everything downstream. A single encrypted front-desk PC is a very different event from an encrypted server that also held your only backup. That second scenario is exactly how many dental practices lose everything. One real case saw a practice with roughly 6,400 records exposed when the encrypted server doubled as the backup location . Understand why this happens in why your dental backup got encrypted too.

Step 5: Do not rush to pay

Decide on ransom only with counsel and your insurer, and understand the odds before you do. CISA and the FBI advise against paying ransom because payment funds further crime and does not guarantee recovery. The data backs this up: only about 2% of organizations that paid recovered all of their data, while the average ransom demand in 2025 was around $615,000 . Paying also does nothing to undo a data breach that already happened. A practice with clean, off-site backups simply does not need to negotiate. See how to recover a dental practice after ransomware without paying for the full case.

Step 6: Rebuild on clean hardware

Do not restore onto the same machines that were compromised. Reimage or replace affected workstations and servers from known-good media, patch the operating systems fully, and rotate every credential, including domain admin, service accounts, and remote-access logins. Restoring a backup onto an infected host just re-encrypts your data. Build a clean foundation first, then bring data back to it.

Step 7: Restore from immutable, off-site backups

Restore your data from backups the attacker could not reach or alter. The properties that matter are immutability (write-once, so encrypted or deleted files cannot overwrite good ones), off-site or air-gapped storage (so a network-wide attack cannot touch it), and encryption in transit and at rest. DDSArk captures application-consistent, immutable copies stored off-site so a restore point exists even when every on-premises copy is encrypted. Begin with the practice-management database and the most recent clean restore point, confirmed against the timeline you built in Step 4. If you are weighing your backup architecture, compare air-gapped vs immutable backups.

Step 8: Validate the PMS and imaging together

A restored database is not a recovered practice. Bring back the practice-management system and the imaging archive together, then verify them as a unit. Open patient charts, confirm appointments and ledgers reconcile, and open radiographs and intraoral images to confirm they link correctly to the right patients. Imaging is frequently stored separately from the PMS database, which means a restore that looks complete can still be missing every X-ray. Test the specifics for your software with the guides for Dentrix, Open Dental, and Eaglesoft. Do not see patients until a clinician has confirmed records and images are intact.

Step 9: Meet your HIPAA breach-notification obligations

Work with counsel to determine and meet your notification duties. In general, a ransomware event affecting protected health information may be a reportable breach, and HIPAA establishes timelines for notifying affected patients and the Department of Health and Human Services, with additional requirements for larger incidents. This is not legal advice and the specifics depend on your facts, but the obligation is real and delay is costly. One practice reached a $350,000 settlement tied to a delayed breach notification . Document what data was affected, when, and what you did, because that record is the backbone of compliant notification.

Step 10: Harden so it cannot happen again

Close the door the attacker walked through. Enforce multi-factor authentication on every remote-access and email account, restrict or eliminate exposed remote-desktop access, segment imaging and clinical systems from the front office, patch on a schedule, and run phishing awareness with staff. This matters because most healthcare organizations are not fully staffed for security in the first place, with only around 14% reporting full staffing . Then test your restores regularly, because a backup you have never restored is a hope, not a plan.

Run a tabletop now, not during an incident. The practices that recover in days instead of weeks rehearse this sequence before they need it. Walk your team through Steps 1 through 4 quarterly, time how long it takes to reach a clean restore point, and fix the gaps you find.

Keep the playbook within reach

The worst time to read a recovery plan for the first time is mid-attack. Keep this sequence printed and stored off the network, assign an owner to each step, and keep this page printed and stored off the network, and ask your DDSArk MSP partner for the one-page printable checklist. For the financial picture behind these decisions, read dental ransomware in 2026: the real costs.