Biggest Dental Data Breaches of All Time

No dental practice thinks it is a target until the morning the schedule will not load.

The biggest dental data breaches of the last several years should put that idea to rest for good. Dental practices, multi-location groups, and the insurers behind them hold exactly the data attackers want: Social Security numbers, government IDs, financial accounts, insurance details, and treatment records, often for entire families and, in the Medicaid cases, millions of children. The ten breaches below are ranked by the number of people affected, and every one of them carries a specific lesson about how the attack happened and what the organization could have done differently. Medix Dental IT has spent more than 20 years securing dental environments, so this is written from the defender’s side of the table, not as a scare piece.

The 10 Biggest Dental Data Breaches of All Time

1. MCNA Dental: 8.9 Million Records (2023)

MCNA Dental, one of the largest administrators of government-sponsored dental benefits in the country, suffered the biggest dental-sector breach on record. The LockBit ransomware gang accessed MCNA’s network in late February 2023, exfiltrated roughly 700GB of data, and demanded a $10 million ransom. When MCNA refused, LockBit published the stolen data. The final count was 8,923,662 individuals, many of them children enrolled in Medicaid and CHIP dental programs, along with their parents and guardians.

What went wrong: the intruder moved through MCNA’s network for roughly a week and a half before detection, long enough to copy hundreds of gigabytes out the door. That points to gaps in monitoring and segmentation that let a single foothold reach an enormous store of identity data. Dwell time is the enemy, and endpoint detection that flags lateral movement and bulk transfers in hours, not days, is the difference between an incident and a catastrophe.

2. Delta Dental of California: 6.9 Million Records (2023)

Delta Dental of California and its affiliates were caught in the MOVEit mass-hack, the year’s defining supply-chain attack. The Clop ransomware group exploited a zero-day vulnerability in Progress Software’s MOVEit file-transfer tool before any patch existed, exfiltrating data from thousands of organizations that used it. For Delta Dental of California, that meant 6,928,932 individuals exposed, including Social Security numbers, financial accounts, and passport numbers.

The technical flaw was the vendor’s, not Delta Dental’s, but the regulatory failures were organizational. New York’s financial regulator later faulted the insurer for lacking a written incident-response plan, for retaining sensitive files longer than its own tools defaulted to, and for notifying regulators roughly six months after detection. It settled with NYDFS for $2.25 million. The lesson is that you inherit your vendors’ risk. You cannot outsource the obligation to vet third-party tools, minimize the data you hand them, and notify on time.

3. Absolute Dental: 1.2 Million Records (2025)

Absolute Dental, a Nevada group with more than 50 locations, was breached through its IT vendor. An attacker ran a malicious version of a legitimate software tool through an account belonging to the practice’s managed services provider, and used that trusted access to reach 1,223,635 patient records. A proposed class-action settlement of $3.3 million received preliminary approval, with a final approval hearing set for July 2026.

What went wrong is the cleanest cautionary tale in this list: a single MSP account became a master key. The lesson for every practice and DSO that outsources IT is that your vendor’s access is your attack surface. MSP accounts need phishing-resistant MFA, least-privilege scoping, and monitored remote-access sessions, because the entry point here was not a dental employee. It was the IT vendor everyone trusted by default.

4. Dental Care Alliance: 1 Million-Plus Records (2020)

Dental Care Alliance, a DSO supporting more than 320 affiliated practices across about 20 states, was the first dental breach to cross a million people. Attackers accessed the network over a roughly three-week window in fall 2020 and reached patient files; the count was initially reported at 1,004,304 and later amended upward to more than 1.7 million. A subset had Social Security numbers, financial accounts, or driver’s license numbers exposed. The case settled for $3 million in 2022.

The takeaway is structural. A DSO that aggregates protected health information from hundreds of practices becomes a single high-value target, and a three-week dwell time on a repository that large is a monitoring failure. Centralization is a strength operationally and a risk concentration in security terms. The same platform that makes a group efficient makes it a bigger prize.

5. Risas Dental & Braces: 618,000 Records (2024)

Risas Dental & Braces, a multi-state group across Arizona, Colorado, Texas, and Nevada, detected unauthorized activity on its systems in July 2023. The investigation found that an attacker had reached internal file stores and downloaded patient data, affecting 618,189 individuals. Notably, the exposed files did not include Social Security numbers or full treatment records, which made this a less severe breach per person than several smaller ones on this list.

That contrast is the lesson. Breach severity is not just headcount, it is what data was reachable. Risas limited the damage because the exposed file stores did not hold the full identity-theft kit. Segmenting and minimizing the most sensitive data, so that a server compromise does not automatically mean SSNs walk out the door, is what shrinks the blast radius when, not if, an attacker gets in.

6. Park Dental and The Dental Specialists: 277,000 Records (2024)

Two affiliated Minnesota dental groups, Park Dental and The Dental Specialists, disclosed a combined 277,109 affected patients (238,667 and 38,442) from a single email-account compromise in January 2024. An attacker reached multiple employee Microsoft email accounts over about two weeks. The organizations stated that multifactor authentication was in place but was circumvented during the intrusion.

This is the “MFA alone is not enough” case. Legacy push-prompt and SMS-based MFA can be defeated by phishing, token theft, and prompt-bombing, which is why phishing-resistant MFA (hardware keys or number-matching) matters. The second failure was that patient data was sitting in email inboxes at all. PHI that lives in a mailbox turns one hijacked account into a six-figure breach.

7. First Choice Dental: 228,000 Records (2023)

First Choice Dental, a group of clinics in and around Madison, Wisconsin, detected a ransomware event in October 2023. The attacker encrypted data and demanded a ransom, and the exposed data was a high-severity mix: names, Social Security numbers, passport numbers, driver’s licenses, financial accounts, and health information. The practice notified 228,287 people, the class-action settlement class was defined as 159,145 individuals, and First Choice agreed to a settlement valued at up to $1,225,000.

Two failures stand out, and both are about process rather than the hack itself. Notifications did not go out until roughly nine months after the attack, well past the 60-day window HIPAA expects. And the practice reported only an interim count of 1,000 individuals to federal regulators, a figure the official breach portal was never updated to correct. The lesson is that your incident-response and notification playbook is part of your security posture, not an afterthought once the technical fire is out.

8. Chord Specialty Dental Partners: 173,000 Records (2025)

Chord Specialty Dental Partners, a Tennessee-based DSO supporting more than 60 affiliated practices across six states, suffered an email-account compromise that exposed 173,430 individuals. Attackers had access to several employee mailboxes for more than five weeks before being caught, and the data in those inboxes included Social Security numbers, driver’s licenses, bank and payment-card details, and medical information. The breach triggered at least seven class-action lawsuits.

The pattern repeats: PHI accumulating in email, an account takeover that went undetected for weeks, and a long gap before patients were notified. The defense is the same playbook that would have helped Park Dental and the other email-compromise victims on this list: phishing-resistant MFA on every mailbox, anomalous-login alerting so an intrusion is caught in hours, and a hard rule that sensitive data does not live in inboxes.

9. Professional Dental Alliance: 173,000 Records (2021)

Professional Dental Alliance was breached through its management and IT vendor, North American Dental Management. Attackers sent phishing emails to the vendor’s employees, several of whom handed over their credentials, and those harvested logins opened the email accounts holding patient data for numerous affiliated practices across 11 states. The cascade reached 172,933 individuals, with Social Security numbers and financial accounts among the exposed data.

This is the business-associate version of the MSP problem. One vendor compromise exposed every affiliated practice at once. The lesson is that vendor risk management is patient-data security: a business associate’s email defenses, MFA, and phishing training are effectively your own, and they belong in your risk assessment and your contracts.

10. Henry Schein: 166,000 Records (2023)

Henry Schein, the dental industry’s largest distributor and the company behind widely used practice-management software, was hit by the BlackCat ransomware gang in fall 2023. The attackers dwelled in the network for more than two weeks, claimed to steal around 35TB of data, and then re-encrypted the company’s systems a second time while restoration was underway and ransom negotiations were breaking down. The final count was 166,432 individuals, revised up from an initial 29,000. Henry Schein settled a class action for $2.9 million.

The second encryption is the lesson most organizations miss. Backups are necessary but not sufficient. Henry Schein began restoring while the attacker still had access, so the environment was re-compromised before it was confirmed clean. Recovery has to happen in an isolated, verified-clean environment, and your largest vendors are single points of failure whose outages can freeze ordering and software for practices nationwide.

The Most Common Threats Dental Practices and DSOs Face Today

Read those ten cases back to back and the same handful of attack patterns appear again and again. These are the threats to plan for now.

Ransomware and data-theft extortion. Gangs like LockBit and BlackCat encrypt systems and leak stolen data to force payment. Dental practices are attractive because encrypted systems halt scheduling, billing, and care across every location at once. The defense is immutable, offline backups tested with real restore drills, endpoint detection on every device, and network segmentation so one practice’s breach cannot reach the whole group.

Supply-chain and shared-software exploits. The Delta Dental of California breach came through a zero-day in a vendor’s file-transfer tool, not through Delta Dental’s own systems. When the dental sector runs on a small set of shared platforms, one vendor flaw exposes millions. The defense is a vendor inventory and risk register, patch SLAs and breach-notification clauses in contracts, and minimizing the data you share with any third party.

MSP and IT-vendor compromise. Absolute Dental was breached through its own IT provider’s privileged access. Most practices and even mid-size DSOs hand an MSP deep, standing access through legitimate management tools. The defense is least-privilege and just-in-time access for vendors, phishing-resistant MFA on every MSP account, and monitoring of remote-management tool usage.

Business email compromise. Park Dental, Chord, and Professional Dental Alliance were all breached through hijacked mailboxes full of patient data. The defense is phishing-resistant MFA instead of push-prompt MFA that gets fatigue-approved, conditional access rules, mailbox anomaly alerting, and a discipline of never letting PHI accumulate in email.

Phishing and credential theft. This is the entry point feeding nearly every breach above. Stolen credentials let an attacker log in as a trusted user and operate undetected in an environment that has no security team watching. The defense is MFA everywhere, recurring phishing simulations, and an email gateway that detonates links and attachments before they reach staff.

The single pattern underneath all of it: dental organizations are almost never breached through a dramatic frontal assault on hardened systems. They are breached through trusted identities and trusted third parties, a phished login or a compromised vendor, after which the attacker quietly reaches a large hoard of long-retained patient data. For a DSO, centralization multiplies the damage, because one compromised identity or vendor scales across every practice at once. That is why so many of the names above are multi-location groups and management companies rather than single chairs.

What This Means for Your Practice or Group

None of the defenses these breaches point to are exotic. The baseline is consistent across every case: phishing-resistant multifactor authentication, endpoint detection and response on every device, identity governance inside your Microsoft 365 or Google Workspace tenant, immutable and tested backups, a vendor risk register, data minimization so you are not hoarding records you no longer need, and an incident-response plan you have actually rehearsed. Microsoft Research has found that multifactor authentication blocks over 99.22% of account compromise attacks, and most of the breaches above involved an identity that was not protected by it well enough.

The same threats show up in the everyday attacks that never make headlines, which we cover in the common IT scams dental practices must avoid and in how AI is reshaping dental cybersecurity threats. The recovery half of the equation, the part that decides whether a breach is a bad week or a closed practice, lives in dental data backup and disaster recovery.

Final Thoughts from Tom Terronez

Every breach on this list looks obvious in hindsight, and almost none of them required a sophisticated attack. A phished password, an over-trusted IT vendor, patient data left sitting in an inbox. The organizations that get hurt are rarely the ones that did something exotic wrong. They are the ones that treated cybersecurity as antivirus plus a checkbox instead of a real program, and then learned the difference during an incident.

If you want an honest read on where your practice or group actually stands against these patterns, our team runs HIPAA cybersecurity assessments and managed IT support for dental service organizations against exactly this baseline. If you want a second set of eyes before something forces the conversation, happy to compare notes.

Biggest Dental Data Breaches FAQs

What was the biggest dental data breach ever?

The largest dental-sector breach on record is the 2023 MCNA Dental ransomware attack, which exposed the data of 8,923,662 individuals after the LockBit gang exfiltrated roughly 700GB and published it when MCNA refused a $10 million ransom. The second largest is Delta Dental of California, with 6,928,932 individuals affected through the MOVEit supply-chain attack the same year.

How do most dental data breaches actually happen?

Rarely through a direct hack of hardened systems. The breaches on this list overwhelmingly started with a trusted identity or a trusted third party: phished or stolen credentials (often bypassing weak MFA), a compromised IT vendor with standing privileged access, or a zero-day in shared vendor software. The attacker logs in as someone legitimate, then reaches a large store of patient data that was retained longer and protected less than it should have been.

Are small dental practices targets, or just large groups and insurers?

Both. Large groups and insurers produce the biggest headline counts because they aggregate the most data, but small practices are breached constantly through the same phishing and vendor-compromise routes. One Indianapolis practice hit by ransomware in 2020 concealed the incident for roughly two years and was fined $350,000 by the state attorney general. Size determines the headline number, not the risk of being hit.

What is the single most effective defense against these breaches?

Phishing-resistant multifactor authentication on every account, because compromised identities are the common thread. Microsoft Research measured MFA blocking over 99.22% of account compromise attacks. It is not the only control you need, but most of the breaches above involved an identity that MFA, properly implemented, would have protected. Pair it with endpoint detection, immutable backups, and vendor access controls for a real program.

Posted in Dental Cybersecurity

Filter By: