ShinyHunters dumped 234 GB of DentaQuest data publicly after the company didn’t pay the ransom. The extortion group listed the dental benefits administrator on its leak site in May 2026; following a failure to reach an agreement, the data went public. Have I Been Pwned confirmed 2.6 million exposed accounts on June 3: full names, email addresses, phone numbers, dates of birth, genders, government-issued IDs, and health insurance information.
Under 45 CFR §164.408, DentaQuest faces a 60-day clock from discovery to notify both affected individuals and HHS OCR. Discovery date has not been disclosed publicly, but the 60-day clock runs from when DentaQuest first knew, per the HIPAA breach notification rule. The rule applies regardless of whether data was ransomed or dumped without payment.
DentaQuest, part of Sun Life, manages dental benefits for Medicaid programs and Medicare Advantage plans across all 50 states, serving 35 million customers through 140,000 dental providers. On June 2 the company acknowledged “unauthorized access to a limited portion of our network” and told clients systems were “fully operational” with “limited disruption.” Standard post-breach triage language.
The leaked data’s structure matters as much as its volume. Most of it appeared in ASC X12 healthcare enrollment files, the format Medicaid uses for eligibility and claims: some records carried Medicaid IDs alongside government-issued IDs and dates of birth. That’s a richer package for identity fraud than a plain commercial breach.
Worth auditing your business associate agreements with dental benefits administrators before July 24.
— Rebecca Lauren