Why dental gets singled out
Three reasons.
First, dental practices are uniquely concentrated as small businesses. Most are solo practices or small partnerships. They don't have privacy officers, dedicated IT, or compliance staff. They rely heavily on outside vendors for marketing, patient communications, and IT. Each of those vendor relationships is a potential BAA gap.
Second, dental marketing is uniquely aggressive online. Practices compete heavily on online reviews, social media presence, before-and-after photos, and specialty marketing (cosmetic, pediatric, orthodontic). The marketing channels that drive new-patient acquisition are exactly the channels where HIPAA disclosures happen most.
Third, dental practices respond to online reviews. This is where the most common dental-specific HIPAA violation happens. A patient leaves a negative Yelp or Google review. The practice responds to defend itself. The response confirms the patient was a patient and discusses the visit. That's a §164.508 disclosure without authorization.
The Manasa Health Center, New Vision Dental, and several other OCR cases all started exactly this way.
The biggest dental case of the last five years: MMG Fusion
In March 2026, OCR settled with MMG Fusion LLC for $10,000 plus a three-year corrective action plan. The dollar amount is small. The breach was massive.
MMG Fusion was a dental marketing software company. It served thousands of dental practices with patient communication, scheduling reminders, and review-management tools. To do those jobs, MMG had access to dental practice patient databases.
In December 2020, an unauthorized actor accessed PHI of approximately 15 million individuals — names, phone numbers, addresses, email addresses, dates of birth, and appointment information. The data was posted on the dark web. MMG didn't report the breach to its dental-practice customers (the covered entities) for more than two years.
The settlement covers MMG itself, not the dental practices. But the individual dental practices that used MMG had their own breach-notification obligations under §164.404 — and most weren’t tracking the situation closely enough to know they had one.
The MMG case is the most important reminder that BAA gaps with small, specialty vendors can be just as damaging as gaps with major SaaS providers. The dollar amount of the OCR settlement isn't a measure of patient impact.
The five most-common web findings at dental practices
In our scans, these five issues account for the majority of HIPAA-relevant findings at dental practices.
Tracking pixels on cosmetic and specialty pages. Cosmetic dentistry, orthodontics, dental implants, sleep apnea, and pediatric dentistry are heavily marketed online. Many practices run Meta Pixel, Google Analytics, and remarketing pixels on these pages. The pages are clinical-context pages that fall outside the AHA v. Becerra carve-out. Several class actions are now active against dental groups specifically.
Online appointment scheduling without a BAA. Most dental practices use one of: their practice-management system's built-in scheduling (usually BAA-covered), or a third-party widget like Yapi, Solutionreach, NexHealth, RevenueWell, or LocalMed (BAA varies by plan). Free or basic-tier scheduling widgets are common because the cost is low. The BAA gap often isn't.
Online review responses that confirm patient status. Almost universal. Every "Sorry to hear you had a bad experience, please call our office to discuss" response confirms the reviewer was a patient. That confirmation alone is a disclosure under §164.508 without authorization.
Patient communication via SMS and text without a BAA. Most dental SMS reminder systems (Solutionreach, RevenueWell, Lighthouse 360, Modento, Yapi) include BAAs on standard plans. But practices that use generic SMS gateways (Twilio without the BAA add-on, EZ Texting, basic CRM-based texting) have BAA gaps.
Photo-sharing and social-media use of before-and-after images. Dental practices love showing off cosmetic work. Without specific patient authorization for marketing use, these posts are §164.508 violations. Even with authorization, they often appear on platforms (Instagram, Facebook, TikTok) without BAAs.
The right-of-access pattern
Dental practices are disproportionately represented in OCR's HIPAA Right of Access Initiative. The pattern: a patient asks for their records. The practice doesn't respond, or responds slowly, or charges an inappropriate fee. The patient files an OCR complaint. OCR investigates. The practice gets a settlement requirement.
Most of these settle in the $15K-$80K range. Gums Dental Care fought OCR for five years over a right-of-access case and ended up with a $70K civil money penalty plus a corrective action plan. Most practices would have been better off responding to the original request.
The Right of Access Initiative is procedural — the violation is failing to provide records, not how the website is built. But it's worth knowing about because it's the most common reason a small dental practice ends up in an OCR settlement.
The DSO complication
Dental Service Organizations (DSOs) are larger entities that operate multiple practices under varying degrees of central management. The big DSO platforms: Aspen Dental, Heartland Dental, Pacific Dental Services, Smile Brands, MB2 Dental.
DSOs have larger marketing and IT functions than individual practices. They also have more web surface area, more vendors, and more potential failure points. In our scans, DSOs typically have:
- Centralized marketing technology (more consistent than individual practices, but with bigger blast radius when something is wrong)
- Practice-locator tools that combine geographic data with specialty information
- Online appointment systems integrated across all locations
- Sometimes patient-portal systems, sometimes not
For DSOs, the issue we see most often is that the central marketing team's compliance posture isn't matched by the local practices. Local practices respond to reviews, post photos to social media, and run their own ad campaigns — often with no coordination with the central privacy team.
What dental practices should do this quarter
Three things, in order.
First, audit the website with the same rigor a hospital should. Pixel inventory, scheduling-widget BAA check, social-media review of any photos that could be patient identifiers.
Second, train staff on review responses. The script should be "We can't discuss specific patients on a public platform. If you'd like to address a concern, please call our office at [number]." Nothing that confirms or denies patient status.
Third, audit your vendor inventory. List every SaaS tool the practice pays for. Cross-reference against your BAA file. The MMG Fusion case is a reminder that small specialty vendors are often the highest-risk point.
For DSOs, add a fourth: get the central marketing team and local practice managers in a room twice a year to align on what each is and isn't allowed to do online. Most DSO HIPAA incidents we see come from the local-vs-central gap.
We scan dental practices and DSOs with the same methodology used for hospitals. The vendor catalog is tuned for dental — it includes Yapi, Solutionreach, NexHealth, MMG, RevenueWell, Lighthouse 360, Modento, LocalMed, and the other dental-specific vendors that don't appear in general HIPAA tools.