Dental patient case notes and dentists’ bank details are feared to have been stolen in a hacking attack.
The British Dental Association has admitted to its members that it is still not sure exactly what was accessed in the breach on 30 July.
The BDA’s website has been offline since the hacking, and it is contacting those it thinks had data compromised.
It has urged members to be cautious of any correspondence claiming to be from a bank following the incident.
BDA chief executive Martin Woodrow said the organisation was “devastated” and was still investigating the extent of the breach.
In an email memo to members, he said: “On 30 July our website went down. As we attempted to restore services, it became clear hackers had accessed our systems.
“Owing to the sophistication of these criminals, we cannot, as yet, confirm the full extent of information that has been accessed.
“We are devastated and apologise unreservedly for this breach.”
The BDA told the BBC that the potentially exposed patient case notes would have only related to indemnity insurance claims. These would be related to events where dentists had been accused of malpractice and other errors.
But the association added that it did not hold full patient records.
The BDA is the professional association and registered trade union organisation for dentists in the United Kingdom.
It does not store members’ card details but does hold account numbers and sort codes to collect direct-debit payments.
Mr Woodrow said the association was working to restore its web, telephone and internal networks following the security breach and said the Information Commissioner’s Office had been informed.
A dentist who asked to remain anonymous told the BBC they were concerned about fraudsters accessing their bank account, especially during such a period of unprecedented financial stress.
“If the hackers have access to my business name, address and bank details, along with my own personal details, it could be enough to pull off a huge identity theft scam,” the dentist said.
“If that happens, I may not be able to pay my staff – and at a time when we have all been working so hard to keep the practice up and running for patients during Covid-19.”
Attila Tomaschek, digital privacy expert at ProPrivacy, told the BBC the breach could have serious consequences for those affected.
“The information can be used by cyber-criminals as a launching pad, so to speak, for supplementary efforts at gathering additional personal information from users affected by the breach,” he said.
“It is vitally important for any BDA user affected to remain on alert and be careful not to provide any information to anyone unfamiliar to them that may be requesting it.”
The BDA has urged its members to remain vigilant and reminded them that legitimate callers would never request card or bank details.