ShinyHunters publishes 234 GB of stolen DentaQuest data after ransom talks collapse

A prolific data extortion gang has released a 234-gigabyte cache of files stolen from DentaQuest, a Massachusetts-based dental and vision benefits administrator, after the company declined to meet its ransom demand. Breach monitoring services have confirmed the leaked data includes records for 2.6 million accounts.

ShinyHunters listed DentaQuest on its darkweb site before publishing the files in full. In a post last updated May 30, the gang wrote that the company "failed to reach an agreement with us despite our incredible patience, all the chances and offers we made. They don’t care."

DentaQuest posted a notice on its website June 1 acknowledging unauthorized access to a limited portion of its network. The company said it moved immediately to contain the intrusion, engaged outside cybersecurity and forensic experts, and notified law enforcement. "We are aware that an unauthorized party has released data related to this incident," the company said, without addressing ShinyHunters’ specific claims directly. DentaQuest said its systems remain fully operational and that client service has experienced only limited disruption. The company said it is still working to determine the full scope of the breach and the extent of data that was compromised.

Have I Been Pwned, a data breach notification service, analyzed the leaked files and found 2.6 million unique email addresses alongside names, mailing addresses, genders, dates of birth, phone numbers, and health insurance details. The service said much of the material appeared in healthcare enrollment files using ASC X12 transaction sets, with some records containing Medicaid identification numbers. Roughly 66% of the exposed records had already appeared in Have I Been Pwned’s database from prior breaches involving other organizations.

If federal regulators confirm the breach at the reported scale, it could rank among the three largest health data breaches reported to U.S. authorities this year. As of Thursday, Sun Life — the publicly traded Canadian financial company that owns DentaQuest through its Sun Life U.S. Dental subsidiary and is headquartered in Ontario, Canada — had not filed any related disclosures with the U.S. Securities and Exchange Commission.

DentaQuest, headquartered in Wellesley, Massachusetts, administers dental and vision benefits for Medicaid, Medicare Advantage, employers, health plans, and individual customers.

ShinyHunters claimed approximately 109 victims across 14 countries in the past year. The gang’s members are known to use phone-based social engineering tactics to obtain access credentials, frequently targeting cloud-based storage platforms. Troy Hunt, founder of Have I Been Pwned, described the group as exceptionally active. "Courtesy of the ShinyHunters, there’s been just a very large amount of data on a very regular cadence published into the public domain," Hunt said. Other recent alleged victims include the Canvas learning management system, used by millions of K-12 and higher-education students and educators worldwide, and reportedly medical device maker Medtronic and East of England Ambulance Service in the United Kingdom.

People whose data may be in the leaked files should treat unsolicited communications with caution, as the exposed records increase the risk of targeted phishing and fraud.