A cyberattack at Northwest Denture Center compromised personal and medical data including Social Security numbers and state IDs.
Northwest Denture Center (NDC), located in Burlington, Washington, reported a data breach affecting 12,209 state residents. The breach occurred on May 27, 2025, and suspicious network activity was detected the following day. NDC launched an investigation and completed a review of compromised files by June 27.
The exposed data includes names, full dates of birth, Social Security numbers, Washington driver’s license or state ID numbers, and medical information. The method of unauthorized access has not been disclosed, and the identity of the attacker remains unknown.
The breach involved both personally identifiable information (PII) and protected health information (PHI), heightening the risk of identity theft and potential medical fraud. NDC reported the breach to the Washington State Attorney General and notified affected individuals in writing.
The combination of government-issued ID numbers, Social Security numbers, and medical details makes this type of breach particularly serious, as the information can be used for multiple forms of fraud or impersonation.
In its official statement, NDC confirmed it had taken steps to secure its network and prevent future incidents. The company is offering 12 months of complimentary identity theft protection and credit monitoring services through TransUnion. Notification letters also included guidance on placing fraud alerts, requesting credit freezes, and monitoring for unusual activity.
According to the official notice, NDC said it “immediately took steps to confirm the security of our network” after detecting suspicious activity. While notices were sent within the expected timeframe, the weeks between detection and disclosure reflect the time needed to review affected files and verify contact details. For those impacted, the exposure of both medical and identity data creates a longer window of potential risk, making it practical to enroll in the credit monitoring services being offered.
Medical records often contain long-term, unchangeable details such as diagnoses and treatment histories, which can be used for insurance fraud or to create convincing fake identities.
A fraud alert notifies lenders to take extra steps to verify your identity before issuing credit, while a credit freeze blocks all access to your credit report unless lifted by you.
Typically, enrollment must be completed within the timeframe outlined in the notification letter, 90 days in this case. Late enrollment may not be accepted.
The official filing specifies residents of Washington State. However, if NDC served patients from other regions, those individuals should remain alert and contact the company if concerned.
Victims can file a report with the Federal Trade Commission (identitytheft.gov), notify local law enforcement, and contact their bank or healthcare provider if they suspect misuse of their data.