Cybersecurity Incidents Reported by Multiple Dental Practices

Posted by Steve Alder

Data breaches have been announced by several dental practices: Bayside Dental (TX/WA), Aldrich Pediatric Dentistry (IN), Stafford Oral Surgery (VA), Garrisonville Dental (VA), and Drs. Abdelbaky, Boes, Cameron & Associates of Wake Forest and Cary Park (NC).

Bayside Dental

Bayside Dental, a dental practice with locations in Rowlett, Texas, and Anacortes, Washington, has experienced a cybersecurity incident. Unauthorized network access was identified on or around January 5, 2026, and the forensic investigation confirmed on March 13, 2026, that there had been unauthorized access to files containing patient data on January 5, 2026.

Data potentially viewed or obtained in the incident included full names, dates of birth, Social Security numbers, medical treatment information, medical diagnostic information, prescription information, patient numbers, health insurance information, health insurance plan beneficiaries, and dates of service. Bayside Dental determined that the protected health information of up to 10,216 patients was potentially compromised in the incident. Bayside Dental has offered the affected individuals complimentary single-bureau credit monitoring, credit score, and credit report services for 12 months.

While not described by Bayside Dental as a ransomware attack, the Sinobi ransomware group claimed responsibility and added Bayside Dental to its dark web data leak site. The group claims to have stolen 580 gigabytes of data in the attack, including files containing patient data. Patients should therefore ensure that they sign up for the credit monitoring services being offered.

Aldrich Pediatric Dentistry

Aldrich Pediatric Dentistry in Indianapolis, IN, has also recently announced the exposure of patient data as a result of an email incident. On February 26, 2026, the practice learned that an employee’s email account was compromised on January 16, 2026, as a result of a response to a phishing email on January 16, 2026. The account was immediately secured, and an investigation was launched, which confirmed that the account contained the protected health information of 5,900 individuals.

Data potentially obtained in the attack included names, addresses, email addresses, telephone numbers, dates of service, procedures, and insurance information. Social Security numbers and financial information were not involved. The practice has implemented additional security measures to strengthen email security, and notification letters were mailed to the affected individuals around April 24, 2026.

Vendor Incident Affects Multiple Dental Practices

Several dental practices have recently disclosed data breaches involving a third-party vendor. The practices were contacted by the unnamed vendor on March 19, 2025, and were informed that limited patient data had been accessed by an unauthorized individual in a security incident. The vendor identified the unauthorized access on October 24, 2025, and the forensic investigation confirmed that some of the vendor’s email accounts and files were accessed between October 15 and October 23, 2025, as a result of a phishing attack.

The investigation found no evidence to suggest that the unauthorized third party accessed or copied any files containing patient information; however, unauthorized data access and acquisition could not be ruled out. The breach was limited to the vendor’s email accounts and associated files. There was no unauthorized access to patient medical or dental records. The compromised data varied from individual to individual and may have included names, addresses, dates of birth, medical information, health insurance information, and Social Security numbers. The affected individuals have been notified by mail and offered complimentary credit monitoring and identity theft protection services.

The HIPAA Journal has not yet been able to confirm how many dental practices have been affected; however, the following dental practices have issued breach notices confirming that patient data was potentially compromised in the incident.

Dental Practice Affected Individuals
Stafford Oral Surgery, Virginia 7,019
Garrisonville Dental, Virginia 5,204
Drs. Abdelbaky, Boes, Cameron & Associates of Wake Forest, North Carolina, d/b/a Triangle Family Dentistry 908
Drs. Abdelbaky, Boes, Cameron & Associates of Cary Park, North Carolina, d/b/a Triangle Family Dentistry 547

Spate of Attacks on Dental Practices

There has been a spate of data breaches reported by dental practices recently, including Bridle Trails Family Dentistry in Washington (20,976 individuals), Verber Dental Group PC in New York (8,598 individuals), Bronsky Orthodontics in New York (3,183 individuals) – covered here, and Totem Lake Family Dentistry in Washington (3,464 individuals). Apart from the Verber Dental Group data breach, these incidents involved unauthorized access to email accounts.

Dental practices should ensure that they set strong, unique passwords for employee email accounts, protect accounts with multifactor authentication, implement an email security solution, and provide security awareness training to the workforce to raise awareness of phishing and social engineering.

The post Cybersecurity Incidents Reported by Multiple Dental Practices appeared first on The HIPAA Journal.

Check Point VPN and Google Chrome Vulnerabilities Under Active Exploitation

Posted by Steve Alder

Patches have been issued to fix a critical vulnerability affecting Check Point Mobile Access, SSL VPN, Remote Access VPN, and Spark Firewalls, and a high-severity vulnerability in Google Chrome, both of which are being actively exploited in the wild.

Check Point Remote Access VPN Vulnerability

On June 8, 2026, the cybersecurity firm Check Point issued a security advisory about a critical authentication bypass vulnerability tracked as CVE-2026-50751 (CVSS 9.3), which has been actively exploited in zero-day attacks since May 7, 2026. Exploitation of the vulnerability accelerated over the weekend, with a few dozen organizations falling victim to attacks. In one attack, Check Point associated the post-exploit activity with a Qilin ransomware affiliate that has previously targeted vulnerabilities in other VPNs.

The vulnerability affects Check Point Mobile Access, SSL VPN, Remote Access VPN, and Spark Firewalls; however, only if deployments are configured to use the deprecated IKEv1 key exchange protocol. In vulnerable deployments, unauthenticated remote attackers can exploit a logic flaw in certificate validation, which allows them to establish a VPN connection without a valid password, bypassing authentication requirements.

Check Point also identified a second vulnerability while investigating the actively exploited zero day. The vulnerability is also associated with the deprecated IKEv1 key exchange, which can allow a man-in-the-middle attack on VPN site-to-site connections. The vulnerability is tracked as CVE-2026-50752, has a CVSS score of 7.4, and affects Security Gateways and Spark Firewalls. At the time of issuing the patch, there had been no known exploitation of the flaw.

Customers using the IKEv1 key exchange protocol have been advised to apply the security updates as soon as possible. If the hotfixes cannot be immediately applied, users should follow Check Point’s mitigation guidance detailed in the security alert. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerability (KEV) Catalog and ordered all government agencies to secure their deployments by applying the security updates or mitigations within 3 days. or to discontinue use of the product.

Google Chrome Zero-day

Google has released an emergency patch to fix an actively exploited high-severity zero-day vulnerability in Google Chrome. The vulnerability, tracked as CVE-2026-11645, is due to an out-of-bounds read and write flaw in the Chrome V8 JavaScript engine. The vulnerability can be exploited by a remote attacker via specially crafted HTML pages. Successful exploitation allows the attacker to execute arbitrary code inside the web browser sandbox, exposing sensitive information or crashing Chrome.

Google is aware of an exploit for the vulnerability in the wild, and has rolled out updates for users in the Stable Desktop channel for Windows, Mac, and Linux Systems. Further information about the bug is being withheld until the majority of users have updated Chrome.

The post Check Point VPN and Google Chrome Vulnerabilities Under Active Exploitation appeared first on The HIPAA Journal.

Senator Seeks Answers from NYC Health & Hospitals About 1.8M Record Breach

Posted by Steve Alder

The Senate Health, Education, Labor, and Pensions (HELP) Committee Chair Senator Bill Cassidy, M.D. (R-LA), is seeking answers from NYC Health + Hospitals about the steps that have been taken since its recent data breach to improve its security protocols to prevent further cybersecurity incidents and breaches of patient data.

NYC Health + Hospitals discovered suspicious activity within its computer systems on February 2, 2026, with its investigation determining that its systems were accessed by an unauthorized third party for almost three months before the intrusion was detected. The threat actor first accessed its system on February 25, 2026, and retained access until February 11, 2026. The investigation suggests access was gained via a third-party vendor. Data compromised in the incident included names, Social Security numbers, medical information, health insurance information, billing and claims information, payment information, and precise geolocation data. The data breach was reported to the HHS’ Office for Civil Rights as affecting 1.8 million individuals.

In the letter to NYC Health + Hospitals CEO Mitchell Katz and CC’d to NYC Mayor Zohran Mamdani, Sen. Cassidy pointed out that healthcare data breaches are being reported in high numbers. Currently, 772 large healthcare data breaches are listed on the OCR data breach portal, making 2025 a record year for healthcare data breaches. These incidents result in delayed care, and data theft puts patients at risk of identity theft and fraud. NYC Health + Hospitals is the largest public health system in the United States, providing care to 1 million patients a year, and its data breach has created a substantial risk to the population it serves.

Sen. Cassidy seeks answers on both the cybersecurity controls in place prior to the cybersecurity incident and the measures implemented post-incident to protect against further cyberattacks. Specifically, Sen. Cassidy wants answers about the cyber and physical security protocols in place to protect against cyberattacks, how cybersecurity best practices implemented by other critical infrastructure sectors have been incorporated into its security policies and protocols, exactly when it became aware of an intrusion, when and which federal agencies were notified about the incident, and the remedial steps taken to improve security protocols.

Sen Cassidy also wants more detail about the steps taken to identify any additional information that may have been accessed in the attack, how it is proactively communicating with potentially impacted individuals and entities, and what additional reporting it will commit to doing for the affected individuals, beyond the reporting requirements of HIPAA. Sen. Cassidy is seeking a response to the questions no later than June 18, 2026.

Sen. Cassidy is taking a keen interest in cybersecurity incidents at healthcare organizations. He sent a similar letter to Aflac following its massive data breach in 2025 – the second-largest healthcare data breach of the year, affecting almost 14 million individuals – and UnitedHealth Group following the Change Healthcare cyberattack in 2024.

Sen Cassidy, along with Sens. Maggie Hassan (D-NH), Mark Warner (D-VA), and John Cornyn (R-TX) reintroduced the Health Care Cybersecurity and Resiliency Act last year, which was advanced by the HELP committee this Spring, in an attempt to strengthen healthcare cybersecurity and improve resiliency against ever-increasing healthcare cyberattacks and data breaches.

The post Senator Seeks Answers from NYC Health & Hospitals About 1.8M Record Breach appeared first on The HIPAA Journal.