Absolute Dental Confirmed Data Breach Affecting Over 1.2 Million Individuals
Absolute Dental, a Nevada dental practice with over 50 locations in Las Vegas, Carson City, Reno, Sparks, and Minden, has completed its investigation of a February 2025 cyberattack and has confirmed that more than 1.2 million individuals had some of their personal and protected health information exposed.
Absolute Dental reported the data breach to the HHS’ Office for Civil Rights in May 2025 using a placeholder figure of 501 affected individuals. At the time, it was unclear how many individuals had been affected. While the breach portal has not yet been updated with the new total, the Oregon Attorney General was informed that 1,223,635 individuals have been affected.
Absolute Dental explained in its substitute breach notice that an issue was identified within its information systems on February 26, 2025. Steps were taken to secure its systems and investigate the nature and scope of the activity. Third-party cybersecurity experts were engaged to assist with the investigation and confirmed that an unauthorized third party had access to its network between February 26, 2025, and March 5, 2025.
The file review was completed on July 28, 2025, when it was confirmed that sensitive personal data was exposed and potentially stolen. The affected individuals had their name exposed along with one or more of the following: contact information, date of birth, Social Security number, driver’s license or state-issued ID information, passport or other governmental ID information, and health information. Health information may have included health history, diagnosis/treatment information, explanation of benefits, health insurance information, and/or MRN number or patient identification number. A small subset of the affected individuals also had their financial account and/or payment card information exposed.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Absolute Dental said the third-party forensic investigation revealed that initial access to its network occurred via the execution of a malicious version of a legitimate software tool through an account associated with its managed services provider. Absolute Dental did not state which legitimate software tool was involved. The description suggests that a threat actor breached the network of its managed services provider, then either tricked an Absolute Dental employee into executing a malicious version of the software tool or the threat actor abused the privileged access of the managed services provider to install the tool, thus providing access to Absolute Dental’s information systems.
Absolute Dental has reported the data breach to regulators, notified law enforcement, and has implemented additional safeguards and technical security measures to prevent similar incidents in the future. Notification letters are being mailed to the affected individuals who have been offered two years of complimentary credit monitoring services.
