Hacking Group Claims Responsibility for Multi-Million-Record DentaQuest Data Breach

Posted by Steve Alder

Wellesley, MA-based DentaQuest, a dental benefits administrator that manages the benefits for 32 million Americans, has announced it is actively managing a cybersecurity incident involving unauthorized access to a limited part of its network. According to its website notice, immediate action was taken to contain and mitigate the threat, and the company is working with a leading cybersecurity expert, forensic investigators, and law enforcement authorities.

DentaQuest, part of Sun Life U.S. Dental, is the largest Medicaid and Children’s Health Insurance Program dental benefits administrator in the country, operating in 50 U.S. states. The company has yet to determine the exact scope of the incident and the extent to which sensitive data has been compromised. The company has promised to update clients and ensure that they receive information as quickly and transparently as possible.

The digital extortion group ShinyHunters has claimed responsibility for the incident and has added DentaQuest to its dark web data leak site. The group specializes in data theft and extortion and claims to have exfiltrated 234 GB of data from DentaQuest systems. ShinyHunters explained on its data leak site that it has attempted to negotiate a ransom payment with DentaQuest to prevent the publication of stolen data, but despite exercising considerable patience and making multiple offers, it failed to reach an agreement with DentaQuest. As a result of the failure, ShinyHunters proceeded to leak the stolen data.

Have I Been Pwned (HIBP) has analyzed the leaked data, which contains the unique email addresses of 2.6 million individuals, along with names, addresses, phone numbers, dates of birth, and genders. HIBP said the leaked data appears in healthcare enrollment files (ASC X12 transaction sets), some of which include information such as Medicaid IDs, other government-issued IDs, and health insurance information. Around 66% of the records exposed were already in its database, having been breached in previous incidents.

Social Security numbers do not appear to have been stolen or leaked, so the affected individuals do not face an immediate threat of identity theft; however, since email addresses and contact information have been leaked, they do face an increased risk of social engineering and phishing attacks. If the data breach is confirmed as affecting 2.6 million individuals, it will rank as one of the largest healthcare data breaches of the year to date.

The post Hacking Group Claims Responsibility for Multi-Million-Record DentaQuest Data Breach appeared first on The HIPAA Journal.

Onsite Women’s Health $2.5M Data Breach Settlement

Posted by Steve Alder

A breach of the email account of an employee of Onsite Women’s Health that exposed the protected health information of 357,265 individuals has resulted in a $2,525,000 settlement. Onsite Mammography, LLC, which does business as Onsite Women’s Health, a Westfield, Massachusetts-based provider of medical imaging services to hospitals, identified unauthorized access to an employee’s email account in October 2024.

The email account was compromised as a result of a response to a phishing email, and while the account was only accessible for a short period of time, sensitive data was exfiltrated, including names, dates of birth, Social Security numbers, driver’s license numbers, credit card numbers, and information related to patients’ mental or physical conditions, and any care they received.

Multiple class action lawsuits were filed in response to the data breach, which were consolidated – Clarkson, et al. v. Onsite Mammography, LLC, d/b/a Onsite Women’s Health – in the United States District Court District of Massachusetts.  The consolidated lawsuit alleged that inadequate security measures had been implemented to prevent attacks on employee email accounts, and if those measures had been implemented, the data breach could have been prevented or at least the attack could have been detected more quickly, limiting the harm caused.

While the affected individuals were offered 12 months of complimentary credit monitoring services, the plaintiffs argue that the offer was insufficient considering the level of risk they face. They also claim that the defendant provided no reassurances that the stolen data had been deleted or that security had been sufficiently strengthened to prevent similar incidents in the future.

The lawsuit asserted claims for negligence, breach of implied contract, breach of fiduciary duty, invasion of privacy, unjust enrichment, and declaratory judgment. The defendant maintains there was no wrongdoing and disagrees with the claims and contentions asserted by the plaintiffs. Despite disagreeing with the claims, after considering the likely costs and risks associated with continuing with the litigation, Onsite Women’s Health agreed to settle the lawsuit.

Under the terms of the settlement, Onsite Women’s Health will establish a $2,525,000 settlement fund to cover attorneys’ fees and expenses, settlement administration and notification costs, and service awards for the eight class representatives. The remainder of the settlement fund will be used to cover benefits for the class members.

Class members may submit a claim for reimbursement of documented, unreimbursed losses incurred as a result of the data breach up to a maximum of $5,000 per class member. A claim may also be submitted for three years of credit and medical data monitoring and insurance services. Class members may also claim a pro rata cash payment, which will be paid after all costs and claims have been paid and will exhaust the settlement fund. The deadline for objection and exclusion is July 13, 2026. Claims must be submitted by August 11, 2026, and the final fairness hearing has been scheduled for September 9, 2026.

The post Onsite Women’s Health $2.5M Data Breach Settlement appeared first on The HIPAA Journal.