A February 2025 cyberattack on Absolute Dental has been confirmed to impact more than 1.2 million individuals across Nevada.
What happened
Absolute Dental, a large Nevada-based dental practice with over 50 locations, has confirmed a data breach affecting 1,223,635 individuals. Initially reported to the U.S. Department of Health and Human Services with a placeholder figure of 501, the full extent of the breach became clear after a forensic investigation concluded in late July.
The breach occurred between February 26 and March 5, 2025, when an unauthorized third party gained access to Absolute Dental’s network. The exposed data includes names, contact information, Social Security numbers, government-issued IDs, health records, and in some cases, financial account or payment card details.
Going deeper
According to the breach notice submitted to the New Hampshire Attorney General’s office, Absolute Dental’s systems were compromised using a malicious version of a legitimate software tool. This tool was executed through an account tied to the organization’s managed services provider (MSP). While the specific software was not named, the incident appears to have involved either social engineering or abuse of privileged access by compromising the MSP’s credentials.
The affected health data included health history, diagnoses, treatments, insurance details, and medical record numbers. A smaller group of patients had financial data exposed as well.
Absolute Dental has since reported the incident to law enforcement and regulators and is mailing notifications to affected individuals. The company is offering two years of free credit monitoring and has stated that it has implemented stronger cybersecurity safeguards.
What was said
According to BankInfoSecurity, the Absolute Dental breach “sounds like a combination of a supply chain attack – malicious version of a legitimate software tool – combined with a credential compromise from a partner admin account.” Zach Moore of NWN added that “better account controls and zero trust would limit the damage a single account could do if compromised and more effective MDR would quickly identify malicious activity and isolate compromised endpoints.”
FAQs
What is a managed services provider (MSP) and why is it relevant here?
An MSP is a third-party company that provides IT support and infrastructure services to businesses. In this case, the breach was enabled through an account associated with Absolute Dental’s MSP, suggesting that attackers exploited trusted access to gain entry.
How can patients protect themselves after a healthcare data breach?
Affected individuals should monitor their credit reports, watch for signs of identity theft, and take advantage of the complimentary credit monitoring services offered. They may also consider placing fraud alerts or credit freezes with credit bureaus.
Why was the breach initially reported as affecting only 501 individuals?
HIPAA-covered entities often report breaches using a placeholder figure of 501 while investigations are ongoing. This allows timely regulatory notification before the full scope is known.
Could the software used in the attack have been a widely used tool?
Yes. Threat actors often manipulate legitimate tools to evade detection. Without naming the tool, Absolute Dental’s description suggests the attackers repurposed a trusted utility for malicious access.
Are vendors typically held accountable in cases like this?
Vendor accountability depends on the contractual relationship, the nature of the breach, and any negligence involved. Regulators may examine both the healthcare provider and the vendor when determining liability and preventive expectations.
Farah Amod
