More Than 1.2 Million Absolute Dental Patients Affected by Data Breach

September 7, 2025HIPAA News0

Absolute Dental, a Nevada dental practice with about 50 clinics in Carson City, Minden, Las Vegas, Sparks, and Reno, encountered a cyberattack. It finished its investigation in February 2025 and reported that the personal information and protected health information (PHI) of over 1.2 million individuals had been compromised.

Absolute Dental sent a data breach report to the HHS’ Office for Civil Rights in May 2025 with a placeholder of 501 affected persons. During that time, the number of affected individuals was not certain. Though the breach portal doesn’t yet show the new figure, the Oregon Attorney General was advised that 1,223,635 people were impacted.

Absolute Dental mentioned in its substitute breach notice that it found a problem inside its IT systems on February 26, 2025. It took action to protect its systems and look into the nature and extent of the breach. Third-party cybersecurity professionals assisted with the investigation and affirmed the third-party unauthorized access to its system between February 26, 2025, and March 5, 2025.

The file assessment was finished on July 28, 2025, which established the compromise and potential theft of sensitive personal data. The affected individuals had their name exposed alongside at least one of this information: contact data, date of birth, passport or other governmental ID, driver’s license or state-issued ID details, Social Security number, and medical data. Medical data may have included health background, diagnosis/treatment details, explanation of benefits, medical insurance details, and/or patient ID number or MRN number. The financial account and/or payment card data of certain impacted persons were likewise compromised.

Absolute Dental reported that the third-party forensic investigation disclosed that network preliminary access happened through a malicious variant of a legitimate software program through an account connected with its managed services provider. Absolute Dental didn’t point out which software. The description implies that a threat actor accessed the network of its managed services provider, then misled an Absolute Dental worker into running a malicious variation of the software program or the threat actor abused the authorized access of the managed services provider to add the program, thus giving access to Absolute Dental’s IT systems.

Absolute Dental has submitted a breach report to government agencies, informed law enforcement, and has enforced extra technical security procedures to avoid identical occurrences later on. An an HIPAA-covered entity, the dental practice mailed notification letters to the victims and provided two years of free credit monitoring services.

About Thomas Brown
Thomas Brown worked as a reporter for several years on ComplianceHome. Thomas is a seasoned journalist with several years experience in the healthcare sector and has contributed to healthcare and information technology news publishers. Thomas has a particular interest in the application of healthcare information technology to better serve the interest of patients, including areas such as data protection and innovations such as telehealth. Follow Thomas on X https://x.com/Thomas7Brown

ComplianceHome is a registered trademark. Copyright © 2025 ComplianceHome. All rights reserved.