On March 26, 2025, researchers at Cybernews discovered a massive data exposure involving an unsecured MongoDB database containing sensitive health information.
What happened
The database held approximately 2.7 million patient profiles and 8.8 million appointment records, including names, birth dates, addresses, phone numbers, email addresses, chart IDs, billing details, and language preferences. Appointment records also contained patient metadata, timestamps, and institutional references. The database appeared to be linked to a company called Gargle, a digital marketing and web development firm that provides services tailored to U.S. dental practices.
After being notified by Cybernews, the database was taken offline; however, Gargle did not confirm ownership or issue any public response. It remains unclear how long the database was publicly accessible or whether unauthorized parties accessed the data.
As of June 5, 2025, no breach notification related to this incident have been reported by Gargle or any affiliated dental practices to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) breach portal. Under HIPAA, business associates are required to notify covered entity clients of any breach within 60 days of discovery, and those covered entities must then ensure that affected individuals are informed.
What was said
The article by CyberNews journalist Paulina Okunytė noted, “It’s still unclear how long the database was exposed or who might’ve accessed it before it was locked down. After Cybernews informed the company about the leak, the dataset was secured. A comment by the company has yet to be received.”
Why it matters
Under HIPAA, business associates are mandated to notify covered entities of any breaches involving unsecured protected health information (PHI) without unreasonable delay, and no later than 60 days from the discovery of the breach. Covered entities must inform affected individuals, the Department of Health and Human Services (HHS), and, in certain cases, the media, within the same timeframe. Failure to adhere to these notification requirements can result in substantial civil and criminal penalties, depending on the severity and nature of the violation.
The lack of timely disclosure in the Gargle case raises concerns about compliance with these regulations. In similar instances, such as the Fortra data breach in January 2023, affected companies faced class action lawsuits and financial settlements, with individuals eligible for compensation up to $5,000.
Related: HIPAA Compliant Email: The Definitive Guide (2025 Update)
FAQs
What is a class action lawsuit in a data breach case?
A class action is a legal action filed by one or more plaintiffs on behalf of a larger group of individuals who were similarly affected by the same incident.
What happens if the company settles?
If a settlement is reached, eligible class members will receive instructions on how to file a claim. This often involves filling out a short online form or submitting documentation (such as receipts for identity theft expenses). If you do nothing, you might forfeit your right to compensation.
What kind of harm do class actions usually cover?
Class action suits may claim harm from economic damages, emotional distress, loss of privacy, and increased risk of future harm.
Kirsten Peremore
