Back to Intelligence

Defending Dental Practices: Analysis and Detection of PII Exfiltration Attacks

SA
Security Arsenal Team
June 2, 2026
5 min read

Recent disclosures confirm that patient data has been exposed in separate cyberattacks targeting Bridle Trails Family Dentistry, Verber Dental Group, and Bronsky Orthodontics. While the specific vectors for each incident are still being finalized in breach notifications, the pattern is clear: dental practices are high-value targets for threat actors seeking Protected Health Information (PHI).

For defenders, this is not just a compliance issue; it is an active threat to patient safety and institutional integrity. Dental practice management environments often run legacy software, rely on shared administrative credentials, and utilize flat-file databases for imaging—making them ripe for rapid data exfiltration. We need to shift from simply checking compliance boxes to actively hunting for the behaviors that precede these breaches.

Technical Analysis

Sector Context: Dental practices typically utilize Practice Management Software (PMS) such as Eaglesoft, Dentrix, or OpenDental. These platforms often rely on underlying SQL databases or file-based repositories for X-rays and PHI.

Likely Attack Vectors: Based on the 2026 threat landscape and historical analysis of similar incidents, compromises in this sector generally follow one of three paths:

  1. Exposed Remote Services: Compromise of RDP or VPN endpoints via brute-forcing or credential stuffing.
  2. Phishing: Initial access via malicious attachments leading to payload delivery (e.g., infostealers).
  3. Supply Chain: Vulnerabilities in third-party dental imaging or billing software.

The Objective: The primary goal in these incidents is Data Exfiltration. Attackers locate directories containing patient databases (often .mdb, .db, or .mdf files) and imaging repositories (.dcm, .xray, .jpg). Once accessed, data is staged using legitimate tools (like rar, 7z, or powershell) and exfiltrated over encrypted channels (HTTPS/SSH).

Exploitation Status: There is no specific CVE referenced in the current reporting of these three incidents. Therefore, we must treat this as an active campaign utilizing valid credentials or ** commodity malware** rather than a zero-day exploit. The risk lies in the lack of detection on file access and egress traffic.

Detection & Response

Because these attacks focus on data theft rather than just encryption (ransomware), traditional "anti-virus" solutions often miss the activity. We need to monitor for abnormal interactions with sensitive data stores.

Sigma Rules

The following rules target the suspicious access and manipulation of common dental data storage structures and the use of archiving tools often used for staging.

YAML
---
title: Suspicious Access to Dental Practice Management Directories
id: 8a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects processes accessing common directories for Dental Practice Management Software (Dentrix, Eaglesoft) which may indicate data theft.
references:
  - https://attack.mitre.org/techniques/T1005/
author: Security Arsenal
date: 2026/05/15
tags:
  - attack.collection
  - attack.t1005
logsource:
  category: file_access
  product: windows
detection:
  selection:
    TargetFilename|contains:
      - '\\Dentrix\\'
      - '\\Eaglesoft\\'
      - '\\OpenDental\\'
      - '\\Images\\'
  filter_legit:
    Image|contains:
      - '\\Dentrix\\'
      - '\\Eaglesoft\\'
      - '\\OpenDental\\'
  condition: selection and not filter_legit
falsepositives:
  - Legitimate backup software accessing these directories
level: high
---
title: Potential Data Staging via Archiving Tools
id: 9b3c4d5e-6f7a-8b9c-0d1e-2f3a4b5c6d7e
status: experimental
description: Detects usage of archiving tools like 7-Zip or WinRAR often used to compress PHI prior to exfiltration.
references:
  - https://attack.mitre.org/techniques/T1560/
author: Security Arsenal
date: 2026/05/15
tags:
  - attack.collection
  - attack.t1560.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\\7z.exe'
      - '\\7za.exe'
      - '\\winrar.exe'
      - '\\zip.exe'
    CommandLine|contains:
      - 'a '
      - '-tzip'
      - '-mhe'
  condition: selection
falsepositives:
  - Administrative backups
level: medium

KQL (Microsoft Sentinel)

This query hunts for mass file access or modification events within known sensitive directories, which is a precursor to exfiltration.

KQL — Microsoft Sentinel / Defender
DeviceFileEvents
| where Timestamp > ago(7d)
| whereFolderPath contains @"C:\Dentrix" or 
  FolderPath contains @"C:\Eaglesoft" or 
  FolderPath contains @"\\Server\Dentrix" or
  FolderPath contains @"\\Server\Images"
| where ActionType in ("FileCreated", "FileModified", "FileAccessed")
| where InitiatingProcessFileName !in ("Dentrix.exe", "Eaglesoft.exe", "OpenDental.exe", "explorer.exe")
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, FileName, FolderPath, ActionType
| summarize count() by Timestamp, DeviceName, InitiatingProcessFileName, FolderPath
| where count_ > 10

Velociraptor VQL

This artifact hunts for processes that have open handles to dental data directories, identifying active memory-resident threats accessing PHI.

VQL — Velociraptor
-- Hunt for processes with handles open to Dental PMS directories
SELECT Pid, Name, CommandLine, Exe, Username
FROM handles()
WHERE Name =~ '\\Dentrix\\' OR 
      Name =~ '\\Eaglesoft\\' OR 
      Name =~ '\\OpenDental\\'
GROUP BY Pid

Remediation Script (PowerShell)

Use this script to audit RDP exposure and identify non-standard processes interacting with common database ports or directories on the local machine.

PowerShell
# Audit RDP and Common Dental Service Ports
Write-Host "Checking RDP Status..."
$rdp = Get-WindowsFeature -Name Remote-Desktop-Services
if ($rdp.Installed) { Write-Host "WARNING: RDP is Installed." -ForegroundColor Red }

# Check for listening ports on common DB ports (1433, 3306) from non-system paths
$netstat = netstat -ano | Select-String "LISTENING" | Select-String ":1433|:3306"
if ($netstat) {
    Write-Host "Listening on SQL ports found:" -ForegroundColor Yellow
    $netstat
}

# Audit directory access permissions on common dental paths
$paths = @("C:\Dentrix", "C:\Eaglesoft", "C:\Program Files\OpenDental")
foreach ($path in $paths) {
    if (Test-Path $path) {
        Write-Host "Auditing ACLs for $path"
        Get-Acl $path | Format-List
    }
}

Remediation

Immediate defensive actions are required to secure dental practice environments against these active campaigns:

  1. Network Segmentation: Dental X-ray sensors and PMS servers should be on an isolated VLAN, separate from the general office network and guest Wi-Fi.
  2. Disable RDP: If remote access is required, mandate the use of a VPN with MFA. Direct RDP exposure to the internet is the primary entry vector for this sector.
  3. Patch Management: Ensure all third-party dental imaging software (often a neglected attack surface) is updated to the latest 2026 releases.
  4. Account Hygiene: Review all local administrator accounts on practice workstations. Disable shared accounts used by front-desk staff that have admin privileges.
  5. Egress Filtering: Configure firewalls to block outbound traffic from workstations to the internet except for necessary business ports (80/443). Block all outbound SSH and RDP.

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub

healthcare-cybersecurityhipaa-compliancehealthcare-ransomwareehr-securitymedical-data-breachhealthcare-breachdental-securitydata-exfiltration

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action