The Printer That Opened the Vault

The Client

The practice, a well-established dental group with three locations across a mid-sized metropolitan area, had recently been asked by their cyber insurance carrier to provide evidence of a third-party security assessment. Their managed IT provider handled day-to-day operations and had assured them the network was "locked down."

The office manager coordinated the engagement. During the scoping call, she was straightforward about their expectations.

"Honestly, we expected this to be a formality. Our IT company told us everything was configured properly. We just needed the report for the insurance renewal." -- Office Manager

The Engagement

The assessment team, led by senior penetration tester Marcus Webb, began with external reconnaissance followed by an on-site internal network test. The external perimeter was reasonably well-maintained. The internal network was a different story.

The first domino: a lobby printer

Within the first two hours of the internal assessment, Marcus identified a Ricoh multifunction printer in the main office lobby that was still running factory default credentials on its web administration panel. This is not unusual -- network printers are among the most overlooked devices in any organization. But what came next surprised even the testing team.

"When I pulled up the printer's admin panel and the default password worked, I expected to find maybe some scan-to-email settings. What I actually found was a full set of LDAP credentials the printer was using to authenticate against Active Directory. That changed the entire scope of what we were looking at." -- Marcus Webb, Lead Penetration Tester

A flat network with no barriers

The LDAP credentials extracted from the printer worked against Active Directory. Worse, the service account had been given domain-wide read permissions -- likely a shortcut taken years earlier to "make the printer work" with the network scanner feature.

The network itself was completely flat. All three office locations, connected via site-to-site VPN tunnels, shared a single network segment with no VLANs, no segmentation, and no access controls between devices. The front desk workstation in the lobby sat on the same network as the server hosting patient records.

12,000 patient records, wide open

Using the compromised service account, Marcus navigated to the practice's file server. Multiple SMB shares were configured with "Everyone: Full Control" permissions, including folders labeled Patient Records, Insurance Claims, and Billing.

Inside were over 12,000 patient records spanning more than a decade. Names, dates of birth, Social Security numbers, insurance policy numbers, and complete treatment histories -- all stored as unencrypted Word documents and Excel spreadsheets. None of the files were password-protected. None of the shares required additional authentication beyond a valid domain account.

"I've done hundreds of these assessments, and this one still stands out. The path from a lobby printer to 12,000 patient records took less than twenty minutes. No exploits, no special tools. Just default passwords and a flat network." -- Marcus Webb, Lead Penetration Tester

Medical devices on the same wire

The assessment also revealed that digital X-ray systems and panoramic imaging equipment at two of the three locations were accessible on the same network segment. These devices were running outdated operating systems -- one was still on Windows 7 Embedded, which has not received security updates since January 2020. The devices had no endpoint protection installed.

No logging, no monitoring, no trail

Perhaps the most concerning finding from a compliance perspective: there was no audit logging enabled on any file share, no centralized log collection, and no monitoring of any kind for unusual access patterns. If a real attacker had done exactly what the testing team did, there would have been zero evidence of the intrusion.

"That's what really shook them. It wasn't just that the data was exposed. It was that someone could have been accessing it for months or years, and they would never have known." -- Sarah Chen, Account Manager

The Impact

When the findings were presented to the practice's managing partners, the room went quiet. The practice had operated for 15 years believing their network was secure because they had antivirus software and a firewall. Nobody had ever tested whether those controls actually prevented an attacker from reaching sensitive data.

The reality was stark: a single misconfigured printer in a public-facing area of the office provided a direct path to every patient record the practice had ever created. Under HIPAA, the potential exposure could have resulted in fines of up to $1.5 million per violation category, along with mandatory breach notification to every affected patient.

The Remediation

What Could Have Happened

Ransomware groups actively target healthcare organizations because of the urgency to restore access to patient data. In 2025, the average cost of a healthcare data breach reached $1.93 million. For a practice this size, a ransomware event or reported data breach could have meant:

• Mandatory notification to 12,000+ patients
• HIPAA fines ranging from $100,000 to $1.5 million
• Regulatory investigation and potential corrective action plan
• Loss of patient trust and referral relationships
• Potential class-action liability
• Weeks of operational downtime across all three locations

Instead, the practice identified and fixed these issues before anyone with malicious intent found them. Their insurance carrier accepted the remediation report, and the practice now operates on an annual testing cycle.

"We went in thinking this was just a checkbox for our insurance. We came out with a completely different understanding of where we actually stood. I'm glad we found out this way." -- Managing Partner