Absolute Dental confirms data breach impacting more than 1.2 million patients

Absolute Dental, a Nevada-based dental practice with more than 50 locations across the state, has confirmed that over 1.2 million individuals had personal and health information exposed in a cyberattack earlier this year.

The company disclosed that unauthorized access to its systems occurred between February 26 and March 5, 2025, through a malicious version of a legitimate software tool connected to its managed services provider. The breach was first reported to the Department of Health and Human Services’ Office for Civil Rights in May with a placeholder estimate of 501 affected individuals, but a review finalized in late July determined that 1,223,635 patients were impacted. The Oregon Attorney General has since been notified of the updated figure.

The compromised data included names, contact details, dates of birth, Social Security numbers, driver’s license or state ID information, passports, and health records. Health information may have contained medical history, diagnoses, treatments, insurance details, and patient identification numbers. A smaller group of patients also had financial account or payment card information exposed.

According to the substitute breach notice, the intrusion stemmed from the exploitation of access linked to Absolute Dental’s managed services provider. While the company did not specify the tool that was manipulated, investigators believe threat actors either deceived an employee into executing the malicious program or leveraged privileged access to install it directly.

Absolute Dental said it took immediate steps to secure its systems and engaged third-party cybersecurity experts to investigate the attack. The company has reported the incident to regulators and law enforcement, and it is implementing new security safeguards. Affected patients are being notified by mail and offered two years of complimentary credit monitoring services.