Cyber Incident Victim: Dyras Dental
Date:
Sep 2020
Location:
United States of America
Summary
A ransomware attack by the Egregor group compromised Dyras Dental, a Michigan-based entity, leading to the exfiltration of sensitive data including patient-protected health information, employee tax documents, and voicemails containing patient details. The attackers publicly leaked over 100 files as proof, primarily financial and insurance billing records, but the victim did not acknowledge the incident or respond to inquiries, with no breach notification appearing on official channels. The subsequent removal of the listing from the threat actors' leak site raised questions about potential negotiations, while the exposure of protected health information suggested an unreported HIPAA violation. The incident highlighted Egregor's broader targeting of medical and dental organizations without restraint.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In September 2020, Egregor ransomware threat actors listed Dyras Dental, a Michigan-based dental practice, on their dedicated leak site. The attackers publicly released over 100 files as initial proof of the compromise, predominantly containing sensitive financial and patient information. The exfiltrated data included insurance billing records with protected health information (PHI), employee W-2 tax statements, and voice mail recordings containing patient-related details. Despite multiple inquiries sent to Dyras Dental in September and October 2020 by DataBreaches.net, the practice did not respond to requests for confirmation or clarification regarding the incident. As of the article’s publication date on September 24, 2020, no breach notification statement appeared on Dyras Dental’s official website. Subsequent checks confirmed the absence of any public acknowledgment by the practice. Notably, Egregor later removed Dyras Dental’s listing from their leak site, though the reason for this removal remained unconfirmed—whether due to potential negotiations between the parties or other factors. The incident likely constituted a reportable HIPAA breach, but it had not yet appeared on the U.S. Department of Health and Human Services’ public breach portal at the time of reporting.
Egregor simultaneously targeted multiple other dental and medical entities during this period. The threat actors listed Paramount Dental Studio in Huntington Beach, California, though the initial data dump accompanying this claim actually contained records from an unidentified Australian dental practice rather than Paramount’s data. DataBreaches.net attempted to contact both Paramount and the Australian practice but received no responses. Another listing involved Coldwater Orthodontics in Michigan, where attackers released data primarily consisting of business forms and marketing materials without apparent PHI exposure, leaving the full scope of potential patient data compromise unclear. Egregor also claimed an attack against Delta Dental Plans Association in Oak Brook, Illinois, though no confirmation or details were available at the time of reporting. These coordinated attacks demonstrated Egregor’s pattern of targeting healthcare sector entities without restraint, aligning with tactics observed in other ransomware groups like NetWalker and Conti. The Dyras Dental incident specifically exposed significant operational and compliance risks due to the confirmed exfiltration of PHI, tax documents, and sensitive voice recordings, compounded by the organization’s lack of public response or transparency throughout the event.