WSDA recently became aware of email phishing scams affecting Washington dental offices, where unauthorized messages are being sent directly from the office’s legitimate email address. These emails often include vague subject lines such as “new approved statement” and contain unexpected attachments that may pose a security risk.

We urge dental offices to review email security measures and to not open attachments or click links in emails unless you’re confident the message is legitimate.

Below are two examples of phishing emails received by WSDA from Washington dentists whose email accounts were compromised.

If your office hasn't reviewed your current email security measures lately, now is an important time to do so. Below are some key steps you can take to prevent, identify, and respond to potential incidents.

What to Watch For:

• Emails from known contacts with unusual tone or unexplained attachments
• Vague or generic subject lines (e.g., “statement,” “document,” or “see attached”)
• Replies to email threads that don’t seem familiar

How to Respond:

• Do not open attachments or click links unless you're confident the message is legitimate
• Verify with the sender through a separate channel (e.g., a quick phone call)
• Report suspicious activity to your IT provider for investigation
• Reset email passwords immediately if you suspect unauthorized access
• Evaluate whether any patient information may have been accessed. If so, follow HIPAA breach response protocols, including documentation and timely notification

Prevention Tips:

• Use strong, unique passwords and change them regularly
• Enable multi-factor authentication (MFA) wherever possible
• Conduct routine staff training on phishing awareness and email safety
• Keep your security and HIPAA protocols up to date and well-documented

Even a brief compromise of your office’s email system can have serious consequences, especially if protected health information (PHI) is involved. Taking proactive steps now can reduce your risk and ensure a swift, compliant response if an incident does occur.

To help you get started, we’ve created a HIPAA Compliance Checklist to help you assess your current safeguards and identify any gaps. Click here to download the checklist.

HIPAA COMPLIANCE CHECKLIST

Additionally, the FBI has a webpage devoted to spoofing and phishing filled with tips to help dentists and small business owners protect themselves. The Federal Trade Commission also has several resources available at FTC.gov/cybersecurity.

If you're looking for additional support with HIPAA training and compliance management, ComplyBetter — a WSDA company — provides an all-in-one online platform designed specifically for dental practices. From required training to customizable documentation and compliance tracking, ComplyBetter makes it easy to stay organized, reduce risk, and keep your team up to date.

Visit www.complybetter.com or reach out to us at info@complybetter.com to learn more!