A dental practice in Nevada, Absolute Dental, has more than 50 centers in Carson City, Las Vegas, Minden, Reno, and Sparks. It concluded its investigation associated with a February 2025 cyberattack and has announced that the personal data and protected health information (PHI) of more than 1.2 million people had been exposed.
Absolute Dental submitted a data breach report to the HHS’ Office for Civil Rights last May 2025 using a placeholder figure of 501 affected individuals. Back then, the number of affected persons was uncertain. Although the breach portal does not yet show the new number, the Oregon Attorney General was notified that 1,223,635 persons were impacted.
Absolute Dental stated in its substitute breach notice that it discovered an issue within its information systems on February 26, 2025. It took steps to secure its systems and inspect the nature and magnitude of the activity. Third-party cybersecurity specialists helped with the investigation and confirmed the unauthorized access by a third party to its system from February 26, 2025, to March 5, 2025.
The file analysis was done on July 28, 2025, which confirmed the exposure and potential theft of sensitive personal information. The affected persons had their name compromised together with one or more of these data: contact details, birth date, driver’s license or state-issued ID, passport or other governmental ID data, Social Security number, and medical information. Health data may have included health history, diagnosis/treatment details, explanation of benefits, health insurance data, and/or patient identification number or MRN number. The financial account and/or payment card details of some impacted individuals were also exposed.
Absolute Dental stated the third-party forensic investigation showed that network initial access occurred via a malicious version of a legitimate software through an account linked to its managed services provider. Absolute Dental did not say which legitimate software program. The description indicates that a threat actor breached the system of its managed services provider, then deceived an Absolute Dental staff member into executing a malicious version of the software, or the threat actor used the privileged access of the managed services provider to set up the software, thus gaining access to Absolute Dental’s network.
Absolute Dental has submitted a data breach report to regulators, alerted law enforcement, and has implemented additional technical security solutions to stop the same incidents in the future. In compliance with HIPAA laws, the dental practice sent notification letters to the impacted individuals and offered two years of complimentary credit monitoring services.
Image credit: Zhanna, AdobeStock / logo©AbsoluteDental
