Why your dental practice probably needs a backup you're not currently running

Most dental and medical practices we onboard are surprised to learn the same thing: Microsoft 365 does not back up your data.

Not in the way you’d assume. Not in the way that protects you from the actual scenarios that take practices down — accidental deletion, account compromise, ransomware on synced files, a disgruntled employee deleting their own mailbox before they walk out the door.

This isn’t a marketing line. It’s in Microsoft’s own documentation, under their “shared responsibility model.” Microsoft handles infrastructure availability and short-term retention. Anything beyond that is your problem.

What Microsoft actually does

Microsoft’s responsibility ends with making sure their servers don’t fall over and your mail doesn’t disappear due to their hardware failure. They keep deleted items in mailboxes for about 30 days. They version files in SharePoint and OneDrive for a similar window.

That’s it. That’s the backup story from Microsoft.

If something is deleted intentionally — by a user, by an attacker, by a script — and you don’t catch it within that retention window, the data is gone. Microsoft will tell you this directly if you ask their support team. We’ve seen the tickets.

The scenarios that actually happen

In our experience working with East Valley practices, these are the three patterns that cause real data loss:

1. Ransomware on synced files. An employee opens a malicious attachment. Their OneDrive starts encrypting. The encrypted files sync up to the cloud. By the time anyone notices, the “good” versions have aged out of version history. Recovery from Microsoft’s tools alone is partial at best.

2. Account compromise + deletion. An attacker gets into a mailbox via phishing. They start deleting emails to cover their tracks while they impersonate the account holder for wire fraud. By the time you discover the breach, your audit trail is gone.

3. Departing employees. A staff member leaves under bad terms. Before their account is disabled, they empty their inbox, delete shared OneDrive files, and remove themselves from SharePoint sites. Microsoft’s recovery window is short. The trail goes cold.

What you actually need

A separate, immutable backup of your M365 tenant. The key word is immutable — meaning that once a backup is taken, it cannot be modified or deleted, even by an admin, even by an attacker with full credentials, until its retention period expires.

For practices, that typically covers:

• Mailboxes — all email, contacts, and calendar items, even after accounts are deleted
• OneDrive — every user’s files, with the ability to restore to any point in time
• SharePoint — shared sites, document libraries, team files
• Teams — chats, files, channels

Backups should run daily (or more frequently), be stored separately from the M365 environment, and have a retention period that matches your industry’s requirements. For HIPAA-covered practices, six years of relevant records is the standard floor.

Cost: roughly $3–6 per user per month

This is one of the most cost-effective insurance policies you can buy. For a 15-person practice, you’re looking at $45–90 a month for genuine peace of mind on the most likely data-loss scenarios. Compare that to even one day of being unable to access patient records during operating hours.

What to ask your current IT provider

If you have managed IT today, ask three specific questions:

1. “Are we running a third-party backup of our Microsoft 365 tenant?” A “yes, Microsoft has it” is the wrong answer.
2. “How often is restore tested?” Backups you haven’t tested aren’t backups; they’re hopes.
3. “What’s the retention period, and is the storage immutable?” If they don’t know what immutability means in this context, that tells you something.

The right setup takes about a day to deploy and a week to validate end-to-end. If you’d like us to take a look at your current setup and tell you what’s actually backed up versus what you think is backed up, we offer that as part of our free 30-minute assessment.

There’s no pitch at the end. Either we find you’re already covered properly (great), or you discover a gap you didn’t know about (also useful), and we tell you exactly what it would take to close it.