Cyber Incident Victim: Great Expressions Dental Centers
Date:
Feb 2023
Location:
United States of America
Summary
Great Expressions Dental Centers experienced a cybersecurity breach wherein unauthorized actors infiltrated its IT network, accessing and extracting sensitive patient information such as names, birthdates, contact details, Social Security and driver’s license numbers, financial account and payment card data, as well as protected health records. The intrusion was detected during an internal investigation involving third-party specialists, prompting system containment and law enforcement collaboration. Following confirmation of compromised patient data, the organization commenced notifications to affected individuals. The incident impacted a substantial volume of confidential records at the national dental care provider, which operates hundreds of clinics across the United States.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Great Expressions Dental Centers (GEDC) experienced a data breach involving unauthorized access to its computer network between February 17 and February 22, 2023, as confirmed through a subsequent investigation announced on May 17, 2023. The company discovered a potential cybersecurity incident in its IT systems, prompting immediate actions including system security enhancements, law enforcement engagement, and the launch of a third-party forensic investigation. This investigation verified that an intruder infiltrated GEDC’s network over the five-day period, accessing and exfiltrating files containing sensitive patient information. While GEDC did not publicly disclose the specific attack vector or initial detection method, the breach duration and unauthorized data removal were conclusively established. The compromised data review, initiated after confirming the intrusion, aimed to identify affected individuals and the scope of exposed personal and medical records. GEDC finalized this assessment prior to issuing breach notifications coordinated with regulatory filings.
The breach exposed highly sensitive patient data, including names, dates of birth, phone numbers, Social Security numbers, driver’s license numbers, financial account details, credit/debit card numbers, and protected health information. Impacted individuals received personalized notification letters starting May 17, 2023, after GEDC completed its analysis of the compromised files. As a prominent U.S. dental service provider operating over 300 clinics with nearly 1,700 employees, GEDC’s breach potentially affected a significant patient base across multiple states, though the exact number of impacted individuals was not quantified in available sources. No ransomware or explicit financial demands were referenced in the disclosure, nor did GEDC confirm whether data misuse had occurred post-breach. The company’s response focused on containment through system security measures, cooperation with authorities, and direct patient communication without detailing specific remediation services offered to victims.