The US Department of Health and Human Services Office for Civil Rights (HHS OCR) issued a $10,000 civil monetary penalty to a dental practice management software vendor responsible for a breach affecting approximately 15 million patient records. The nominal penalty ($10,000 for 15 million affected individuals — less than $0.001 per person) reflects the vendor’s small size and limited financial resources, as HIPAA penalties are scaled based on the organization’s financial capacity. The case highlights the tension in HIPAA enforcement between accountability and deterrence — small healthcare IT vendors handling massive datasets face penalties that may be insufficient to incentivize adequate investment in security. The dental practice software market serves tens of thousands of dental offices nationwide.