Absolute Dental Settles $3.3 Million Over 2025 Patient Data Breach

Context Absolute Dental Group, operating clinics in Nevada, California and Texas, faced a class‑action lawsuit alleging it failed to implement reasonable cybersecurity safeguards. The lawsuit centered on a breach that unfolded from February 19 to March 5, 2025, during which attackers accessed sensitive patient information.

Key Facts - The breach lasted 15 days, giving threat actors time to exfiltrate data from the practice’s electronic health record system. - Compromised data included Social Security numbers, health histories, and contact details. - The settlement totals $3.3 million; eligible class members may receive up to $5,000 for documented losses such as bank fees, credit‑card fraud, or identity‑theft remediation. - California residents qualify for double the cash payment under the state’s Consumer Privacy Act. - Claimants must submit a validated claim form by June 18 2026; objections to the settlement must be filed by June 9 2026, and the final approval hearing is set for July 30 2026. - Absolute Dental has not admitted wrongdoing but accepted the settlement to resolve the claims.

What It Means The case underscores the legal exposure dental practices face when patient data is not adequately protected. Health‑care providers must treat electronic health records as high‑value targets and apply layered defenses. Failure to do so can trigger class‑action suits, regulatory penalties, and costly settlements.

Mitigations – What Defenders Should Do 1. Patch Management – Apply all vendor patches promptly, especially for electronic health record platforms. Unpatched software is a common entry point (e.g., CVE‑2024‑XXXXX affecting popular dental software). 2. Network Segmentation – Isolate patient data stores from internet‑facing services to limit lateral movement, a tactic described in MITRE ATT&CK technique T1078 (Valid Accounts). 3. Multi‑Factor Authentication (MFA) – Enforce MFA for all privileged accounts to block credential‑theft attacks. 4. Endpoint Detection and Response (EDR) – Deploy EDR tools that can detect suspicious processes and file‑less malware, aligning with ATT&CK technique T1059 (Command‑Line Interface). 5. Regular Audits – Conduct quarterly security assessments, including penetration testing and configuration reviews, to identify gaps before attackers exploit them. 6. Incident Response Plan – Maintain a documented response plan that includes rapid containment, forensic analysis, and breach notification procedures to meet state‑level breach‑notification laws.

Watch Next – Monitor the July 30 2026 settlement approval hearing for any precedent‑setting language that could affect future health‑care data breach litigation.