Cyber Incident Victim: Jefferson Dental and Orthodontics

The Jefferson Dental and Orthodontics data breach, first publicly disclosed in October 2021, involved unauthorized access to sensitive information affecting a significant portion of its patient base. Jefferson Dental, operating 72 clinics across Texas, initially reported the incident to the U.S. Department of Health and Human Services (HHS) in October 2021 with a minimal disclosed impact of 501 individuals. The breach stemmed from a malware attack that compromised systems containing patient data, though specific technical details about the intrusion vector or malware type were not publicly disclosed. In February 2022, the organization issued an update about the incident but did not provide revised impact figures at that time. The full scope remained unclear until March 17, 2022, when Jefferson Dental filed a notification with the Texas Attorney General’s Office revealing that up to 1,026,820 Texas residents were potentially affected.

This disclosure marked the largest breach reported under Texas’s new data notification law enacted in September 2021, requiring entities to notify both affected individuals and the state attorney general for breaches impacting 500 or more Texans. The March filing appeared on the Texas Attorney General’s official website on the same day as its submission. While the nature of compromised data was not specified in public reports, the scale suggested extensive exposure of personal or health information. The breach timeline indicates a five-month gap between initial detection and full public disclosure of impact magnitude. No information was provided about containment measures, forensic findings, or whether ransomware payments were involved. The incident highlighted challenges in timely breach assessment and transparency, particularly under evolving state notification requirements affecting healthcare entities.