Cyber Incident Victim: DD Education Services
Date:
Sep 2020
Location:
United States of America
Summary
Egregor ransomware actors targeted multiple dental entities, compromising sensitive data including patient protected health information, insurance billing records, employee tax documents, and voicemail communications. One victim's leaked financial and healthcare data remained unacknowledged despite inquiries, while another listing falsely attributed Australian dental practice information to a California-based entity. Attackers also accessed business and marketing materials from an orthodontics provider, though no confirmed patient data exposure occurred there. A dental insurance association was similarly claimed as compromised without public confirmation. The threat actors demonstrated consistent focus on healthcare sector targets, exfiltrating and leaking sensitive operational and patient data, with several impacted organizations failing to issue breach notifications or public statements regarding the incidents.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In September 2020, Egregor ransomware operators listed Dyras Dental, a Michigan-based dental practice, on their dedicated leak site. The attackers publicly released over 100 files containing sensitive financial records, including insurance billings with patient protected health information (PHI), employee W-2 tax forms, and voicemail recordings with patient-related content. Despite multiple inquiries from DataBreaches.net in September and October 2020, Dyras Dental did not acknowledge the incident or post any public statements on its website. By the time of subsequent checks, Egregor had removed Dyras Dental from their leak site, though no confirmation existed regarding potential negotiations between the parties. The incident appeared to constitute a reportable HIPAA breach, but no corresponding entry appeared on the U.S. Department of Health and Human Services' public breach portal during the reporting period. Separately, Egregor listed Paramount Dental Studio in Huntington Beach, California, though the leaked "proof" data actually originated from an unidentified Australian dental practice. DataBreaches.net contacted both entities but received no responses regarding the legitimacy of the claims or the data's origin.
Egregor also listed Coldwater Orthodontics in Michigan, though initial analysis of the leaked data indicated it primarily contained business forms and marketing materials without apparent patient PHI. The extent of data access or exfiltration remained unverified at the time of reporting. Additionally, Egregor claimed responsibility for an attack on Delta Dental Plans Association in Oak Brook, Illinois, though no corroborating evidence or organizational response was available when DataBreaches.net reached out for comment. These incidents demonstrated Egregor's consistent targeting of dental and medical entities throughout September 2020, mirroring tactics employed by other ransomware groups like NetWalker and Conti. The threat actors routinely published exfiltrated data as leverage, with varying degrees of confirmed PHI exposure across victims. None of the affected entities confirmed or disclosed details about containment measures, system impacts, or detection timelines in response to media inquiries during the reporting period.