July 13th, 2026
Dental Practice Acquisition IT Due Diligence: The Checklist Brokers Miss
Industry Research — DSO
Most dental practice acquisitions are won or lost on the financials, the lease, and the patient base. The part that quietly wrecks deals after closing is the one nobody scrutinizes with the same rigor.
As a 20+ year dental IT veteran who has led IT diligence on dental practice acquisitions for over 250 practices totaling approximately $1 billion in acquisition value, I’ve seen firsthand the IT pitfalls that can haunt what looked like a promising deal. The pattern is almost always the same: the buyer valued the equipment they could see and never priced the risk they could not. That gap is not just an operational headache, it is enterprise value, because the IT posture you inherit either protects your multiple or quietly discounts it. What follows is how to run technology and cybersecurity diligence properly, the items brokers and CPAs routinely miss, and why every one of them gets harder when you are folding the practice into a group.
Why IT Diligence Is the Line Item That Quietly Blows Up Dental Deals
Financials get audited. The lease gets read line by line. IT usually gets a single bullet on someone else’s checklist, and that is exactly where the six-figure surprises hide. A practice that looks clean on paper can carry an end-of-life server, an unpatched network, an unresolved breach, or software the seller does not actually have the rights to move, and none of it shows up on the profit and loss statement.
The reason is structural. Your attorney can read a contract and your CPA can validate the numbers, but neither can tell you the network you are buying is already compromised, or that the incumbent IT contract auto-renews and cannot be canceled at close. That is a dental IT question, and it belongs in diligence before you sign, not in a cleanup project after.
Conduct Thorough IT Diligence
Most buyers underrate IT diligence, and it costs them. Assess the real state of the IT infrastructure before you finalize the purchase, because the first year almost always demands real money to stabilize and upgrade what you inherited. Find those needs early and you can adjust the purchase price to reflect them, instead of eating an unplanned capital expenditure in month three.
Good diligence means a full review of every hardware and software system in place, with each one’s condition and remaining life written down. Inventory the servers, workstations, networking equipment, and the software the practice runs on. Then find the gaps, the missing pieces that will slow the office down the day after you take over.
Look Beyond Digital Equipment
Digital tools like CBCTs, 3D scanners, and printers matter, but they should not pull attention away from the core IT infrastructure underneath them. Plenty of practices pair impressive imaging equipment with outdated servers, aging computers, and tired networking gear. Diligence that looks only at the shiny equipment is how buyers walk into costly surprises. Assess every IT component, not just the ones on the counter.
The equipment is only as good as the infrastructure carrying it. A practice can own state-of-the-art imaging and still choke on it, because the network bandwidth and storage behind it cannot keep up. Check that the digital tools you are paying for actually integrate with, and run well on, the systems already in place.
The IT and Cybersecurity Red Flags Brokers and CPAs Miss
This is the layer a transition attorney or accountant cannot evaluate, and it is where the real inherited risk lives. Each item below is something you take on the moment you sign, whether or not anyone checked for it.
An Inherited Breach You Do Not Know About Yet
Cybersecurity is often overlooked during acquisitions, but it’s a critical area. Many individual practice breaches go unreported, because most dental offices run on small IT providers that lack the resources to detect or handle a security incident. An attacker can sit inside a network for weeks or months, and if that intrusion is present at close, you are the one who inherits it, along with the breach notification obligations and the liability. Confirm your cybersecurity terms cover incidents that began before the acquisition, and have the network checked for an active compromise, not just for antivirus and a firewall.
The Practice’s Cyber Insurance and Breach History
Ask for the seller’s cyber insurance history and any prior claims. A policy that was declined, non-renewed, or priced unusually high is a signal that an underwriter already found something you should know about. A practice with no cyber coverage at all is telling you the same thing a different way. This history rarely appears in a standard diligence packet, and it is one of the cleanest early reads on the real security posture you are buying.
End-of-Life Servers and the Real Remediation Cost
An unsupported operating system or a server past its service life is not a minor line item. It is a system that can no longer receive security patches, will not satisfy the HIPAA Security Rule safeguards a risk analysis is measured against, and increasingly will not qualify the practice for cyber insurance. Price the remediation before you close. Replacing an aging server, migrating the practice management data, and bringing the network to a defensible baseline can run well into five figures per location, and it is far cheaper to negotiate that as a price adjustment than to absorb it as a surprise in month two.
Who Actually Owns the Practice Management Data
Confirm the practice management software, its licensing, and its data-export rights transfer cleanly to you. Dentrix, Eaglesoft, and Open Dental each handle ownership, hosting, and conversions differently, and a practice does not always hold the export rights a buyer assumes it does. Verify that patient records, images, and the underlying database can be exported or migrated in a usable format, because a PMS you cannot cleanly move is a hidden switching cost, and images in particular often live outside the main database in a separate file store that a rushed conversion leaves behind.
HIPAA Risk-Analysis Gaps and Inherited Business Associate Agreements
Ask to see the practice’s most recent HIPAA Security Risk Analysis. Many practices have never completed one, and the absence itself is the single most common finding in federal enforcement actions. You also inherit the seller’s Business Associate Agreements, so inventory every vendor that touches patient data and confirm each has a current, valid BAA in place. Post-acquisition, you own both the gaps and the vendor relationships, and an Office for Civil Rights investigation after an incident opens with one predictable request: show us your risk analysis.
The Incumbent IT or MSP Contract
Read the existing IT provider’s contract before you close, specifically for the term, auto-renewal language, and any change-of-control clause. A managed services agreement that renews automatically or survives a sale can lock you into the very provider whose thin coverage created the problems you found in diligence. Knowing the exit terms in advance lets you plan a clean transition rather than discovering you are contractually stuck the week after closing.
Backups That Have Never Been Test-Restored
A practice can have a backup running and still have no ability to recover, because a backup that has never been restored is an assumption, not a safeguard. Confirm that backups exist, that they are isolated or immutable rather than sitting on the same network as the live data, and ask for evidence of a successful test restore. Solid backup and disaster recovery is the single control that most often separates a two-day recovery from a two-week shutdown if something goes wrong after you take over.
Trust but Verify
Use the practice’s current IT provider to gather the starting data, the equipment specs, ages, operating systems, and software versions. Then verify all of it independently. IT providers vary widely in quality, from reactive break-fix shops to full managed teams, and the support model the practice runs on tells you a lot about the shape it is in. Leaning on an unvetted vendor’s word is how inaccuracies slip into a purchase decision. An independent check gives you a clear, honest picture of the IT health you are actually buying.
Cross-check what you were given against an independent audit. An outside IT firm brings an objective read and surfaces the issues an incumbent vendor either missed or had no reason to raise. That is what makes the information behind your acquisition decision something you can actually trust.
For DSOs: Folding an Acquired Practice Into the Group
For a dental group, IT diligence does not end at the practice line. Every acquisition either raises or lowers the security baseline of the entire organization, because the moment you connect a new office to shared identity, a central database, or site-to-site networking, its weakest control becomes everyone’s weakest control. The practice you acquired last quarter, still running the legacy setup it came with, is very often the softest entry point in the whole group.
That reality changes what diligence has to accomplish. Beyond assessing the single office, a group has to plan how the acquired practice will be brought onto a standardized security baseline, a common identity and access model, and consistent monitoring, and how quickly. A per-location readiness view, rather than a single pass-or-fail verdict, is what keeps one acquisition from quietly degrading the posture of every location you already own. This is the same discipline that runs through our DSO technology playbook, and it is why integrating new acquisitions consistently ranks among the hardest IT challenges a growing group faces.
Turning IT Diligence Into Deal Leverage
Every finding above is a number you can bring to the table. An end-of-life server, an uncovered breach, a missing risk analysis, or a locked-in IT contract is a documented cost, and a documented cost is a price adjustment or a remediation credit rather than a bill you eat after closing.
The larger point is the one Tom Terronez makes often: full IT integration can increase a DSO’s valuation by 2 to 4 times EBITDA. Unaddressed technology and security risk is a discount a future buyer’s diligence team will find and price into your multiple, exactly the way you should be pricing it into the practice you are acquiring now. A clean, standardized, defensible IT stack is not just an operational win. It is enterprise value. You can see how the largest failures played out in our breakdown of the biggest dental data breaches, and how to choose a partner built for this work in our guide to the best IT providers for DSOs.
Dental Acquisition IT Due Diligence FAQs
What does IT due diligence cover when buying a dental practice?
IT due diligence is a pre-close assessment of everything technology-related you are about to inherit: a full hardware and software inventory with each system’s age and remaining life, the network and server condition, cybersecurity posture and any active or unreported breach, HIPAA risk-analysis and Business Associate Agreement status, practice management software ownership and data-export rights, the seller’s cyber insurance and claim history, the incumbent IT contract terms, and the state of the backups. The goal is to price the real remediation cost before you sign rather than absorb it afterward.
Can you inherit a data breach when you acquire a dental practice?
Yes. If an attacker is already inside the practice’s network at the time of sale, or a breach occurred and was never reported, the acquiring owner generally inherits both the incident and its liability, including HIPAA notification obligations. This is why cybersecurity belongs in diligence before closing, and why your purchase terms should explicitly address incidents that began before the acquisition. A practice running on a small IT provider with no real monitoring is the most likely place for an undetected compromise to be sitting.
Why is acquisition IT diligence harder for a DSO or multi-location group?
Because the risk does not stay in the acquired office. Once a new practice is connected to a group’s shared identity, database, or network, its weakest security control becomes a risk to every location. A single acquired office with a legacy setup can lower the security baseline of the entire organization, so a group has to plan not only whether to buy, but how and how fast to bring the practice onto a standardized, monitored security posture before it becomes the group’s soft entry point.
Posted in DSO