Cyber Incident Victim: Dental Care Alliance
Date:
Sep 2020
Location:
United States of America
Summary
Dental Care Alliance experienced a cyber-attack compromising sensitive patient data, including names, addresses, dental diagnoses, treatment details, billing information, insurance data, and bank account numbers for a subset of individuals. The breach impacted over one million patients across its network of affiliated dental practices, with unauthorized access contained within several weeks. The organization notified affected individuals and regulators but did not provide credit monitoring due to lacking evidence of malicious data misuse.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Dental Care Alliance (DCA), a dental support organization operating over 320 affiliated practices across 20 states, experienced a cybersecurity incident beginning on September 18, 2020. The breach was discovered on October 11, 2020, after unauthorized access to systems occurred over a multi-week period. DCA contained the attack by October 13, 2020, limiting further data exposure. An investigation revealed that attackers potentially accessed sensitive information belonging to 1,004,304 patients, including names, addresses, dental diagnoses, treatment details, patient account numbers, billing information, health insurance data, and the names of treating dentists. Financial information exposure was more limited, with bank account numbers visible to attackers for only approximately 10% of affected individuals (roughly 100,430 patients). The organization did not publicly specify whether ransomware or specific malware was involved in the attack, nor did it identify the perpetrators or their methods of initial access.
DCA initiated notification letters to all affected patients in November 2020 and reported the incident to relevant regulatory authorities. The organization's general counsel, Dave Quigley, stated no remediation services like credit monitoring were offered because investigators found no evidence of actual misuse of the stolen data. DCA emphasized ongoing efforts to support impacted individuals while maintaining operational continuity across its network of 700+ affiliated dentists. The breach occurred against the backdrop of broader cybersecurity challenges in the dental sector, as evidenced by an unrelated February 2020 ransomware attack against Complete Technology Solutions that disrupted approximately 100 dental practices across four states. That separate incident caused significant operational paralysis, with affected practices losing access to patient records and scheduling systems, highlighting sector-wide vulnerabilities despite differing attack methodologies between the two events.