Three Independent Dental Clinics in the U.S. Report Data Breach to HHS, Affecting a Total of 25,000 Patients

Image Source: U.S. Department of Health and Human Services Office for Civil Rights

DentalGoodNews｜Between November 2025 and January 2026, three independent dental clinics in the United States—360 Dental PC in Philadelphia, Pennsylvania; Pecan Tree Dental in Grand Prairie, Texas; and Issaqueena Pediatric Dentistry in Seneca, South Carolina—experienced cybersecurity incidents, affecting a total of 25,074 patients' personal and medical information. All three entities have completed breach notifications to the U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR) as required by the Health Insurance Portability and Accountability Act (HIPAA).

The clinic with the highest number of affected individuals is Pecan Tree Dental, with 13,300 patients. The clinic discovered the intrusion on January 11, 2026, and completed its notification to HHS OCR on January 26, 2026. The ransomware group Sinobi claimed to have exfiltrated 250GB of data from the clinic. The clinic's official website statement said, "There is currently no evidence that patient information has been accessed or misused." A notice from the Texas Attorney General indicates that the involved information includes names, addresses, dates of birth, and medical/health information.

Philadelphia's 360 Dental PC discovered the intrusion on November 16, 2025, affecting 11,273 patients' information, and completed its HHS notification on January 15, 2026. Privacy Officer Olga Tseona mailed written notices to affected patients on December 27, 2025. The breached information includes names, dates of birth, addresses, phone numbers, email addresses, medical record/chart numbers, dental clinical records, insurance information, and emergency contacts, with a small number of records involving Social Security numbers; the attacking entity was not publicly disclosed. Following the incident, the clinic replaced compromised equipment, rebuilt servers, and deployed multi-factor authentication (MFA) and VPN. DGN previously reported that in 2023, U.S. dental insurance company MCNA suffered a hacker attack, leading to the exposure of data for approximately 8.9 million patients.

Issaqueena Pediatric Dentistry was attacked between November 9 and 11, 2025, with the system intrusion discovered on November 11, 2025, affecting 501 patients' information. The HHS notification was completed on February 4, 2026—approximately 85 days after discovery. The ransomware group Interlock claimed to have exfiltrated 118GB of data. The clinic is still conducting a content review of the involved files and has offered affected patients free identity protection services until May 2, 2026.

There were intervals between the discovery of the attacks and the HHS OCR notification times for all three incidents: approximately 15 days for Pecan Tree, about 60 days for 360 Dental, and around 85 days for Issaqueena. All three are independent clinics, not part of a chain or a Dental Service Organization (DSO) entity; the categories of leaked information all cover patients' basic identifying information and medical records. According to HIPAA regulations, Data Breaches involving 500 or more patients must be reported to HHS OCR within 60 days of discovery, and notifications to affected individuals and the media must be completed. As of the publication of this article, all three incidents have been publicly listed on the HHS OCR breach portal.