Chord Specialty Dental Partners Data Breach 2025: 173,430 Tennessee DSO Patients Exposed in Employee Email Compromise. Seven Federal Class Actions Filed. What To Do
CDHA Management and Spark DSO, dba Chord Specialty Dental Partners, disclosed in March 2025 that hackers accessed employee email accounts from August to September 2024, exposing SSNs, financial data, and medical records for 173,430 individuals. Seven federal class actions are pending. Here is what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Aug 19, 2024
Unauthorized access to Chord employee email accounts begins
Sep 11, 2024
Suspicious activity identified in an employee email account; third-party digital forensics engaged
Sep 25, 2024
Unauthorized access window closes
Mar 14, 2025
HIPAA breach notification filed with HHS OCR; individual notification letters begin mailing
Mar 14, 2025
OCR portal entry posted listing 173,430 affected individuals
Apr 4, 2025
Edelson Lechtzin LLP announces investigation on behalf of affected individuals
May 16, 2025
Bloomberg Law reports at least seven federal class actions pending in M.D. Tenn. and E.D. Pa.
May 24, 2025
Multiple proposed class actions reported as consolidated
Aug 19, 2024
Unauthorized access to Chord employee email accounts begins
Sep 11, 2024
Suspicious activity identified in an employee email account; third-party digital forensics engaged
Sep 25, 2024
Unauthorized access window closes
Mar 14, 2025
HIPAA breach notification filed with HHS OCR; individual notification letters begin mailing
Mar 14, 2025
OCR portal entry posted listing 173,430 affected individuals
Apr 4, 2025
Edelson Lechtzin LLP announces investigation on behalf of affected individuals
May 16, 2025
Bloomberg Law reports at least seven federal class actions pending in M.D. Tenn. and E.D. Pa.
May 24, 2025
Multiple proposed class actions reported as consolidated
Data exposed
01
High-risk identity
Enables financial + identity theft
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
What happened
CDHA Management, LLC and Spark DSO, LLC, the Nashville, Tennessee-based dental support organization doing business as Chord Specialty Dental Partners, disclosed on March 14, 2025, that an unauthorized party accessed several employee email accounts between August 19 and September 25, 2024. The intrusion was identified on September 11, 2024, when suspicious activity surfaced in a single employee mailbox. A third-party forensic review determined that the actor had reached multiple accounts containing protected health information for 173,430 individuals. Notification letters began mailing on March 14, 2025, the same date the entity reported the incident to the HHS Office for Civil Rights.
Chord is a multi-specialty dental support organization that provides HR, finance, and other administrative and operational services to more than 60 affiliated dental practices and 10 group practices across Tennessee, Indiana, Pennsylvania, New Jersey, Virginia, and Delaware. Its affiliated practices include pediatric dentistry, orthodontics, oral surgery, and ambulatory surgery centers. The organization rebranded from Spark Dental Management to Chord Specialty Dental Partners in April 2024 and has continued to expand since the breach disclosure, announcing new practice affiliations through 2025.
The incident vector was an email-account compromise, characteristic of credential phishing or business email compromise, rather than a network-wide ransomware deployment. No threat actor has been publicly attributed. Chord stated it found “no evidence to suggest that any information has been or will be fraudulently misused,” but proceeded with notification because it could not rule out unauthorized access to the PHI in the affected mailboxes.
What was stolen
The information involved varies by individual and may include a name combined with one or more of the following, per Chord’s own breach notice and the affiliated Pediatric Dental Associates substitute notice:
- Address
- Social Security number
- Driver’s license number
- Bank account information
- Payment card information
- Date of birth
- Medical information
- Health insurance information
Affiliated practices including Philadelphia-based Pediatric Dental Associates posted substitute notices on their own websites referencing the same Chord-administered incident, indicating that the affected population spans the multi-state network of Chord-supported clinics. Because many Chord-affiliated practices serve pediatric patients (infants through adolescents), SSNs exposed for minors carry a heightened synthetic-identity-theft risk that may not surface for years. Parents who received a notification letter about their child should consider placing a credit freeze at all three bureaus in the child’s name.
What Chord is offering
Chord is offering complimentary credit monitoring and identity-theft protection services to individuals who receive notification letters. The substitute notice posted by Pediatric Dental Associates directs affected individuals to enroll by calling the breach response line at 1-833-998-6327 (Monday through Friday, 8 AM to 8 PM ET) and references an enrollment code in the individual notification letter.
The specific monitoring vendor name and enrollment duration are not stated in any publicly available substitute notice reviewed as of this page’s last update. If you received a letter, use the enrollment code before the deadline printed in that letter.
Class actions
At least seven proposed federal class actions were pending across two courts as of mid-May 2025, according to Bloomberg Law. The cases are filed in the Middle District of Tennessee and the Eastern District of Pennsylvania, with docket numbers 3:25-cv-00371, 3:25-cv-00380, 3:25-cv-00379, 3:25-cv-00382, 2:25-cv-02186, 2:25-cv-02453, and 5:25-cv-02482. By late May 2025, DataBreaches.net reported that the proposed class actions had been consolidated.
Firms that have publicly announced investigations or filed cases include Console and Associates, P.C.; Strauss Borrelli PLLC; Murphy Law Firm; Levi & Korsinsky, LLP; Federman & Sherwood; The Lyon Firm; and Edelson Lechtzin LLP. The complaints generally allege negligence, breach of implied contract, and violations of state consumer-protection statutes, pointing in particular to the roughly six-month gap between intrusion containment (September 2024) and individual notification (March 2025).
Chord has also filed breach notices with at least 14 state attorneys general: California, Iowa, Maine, Massachusetts, Montana, Nebraska, New Hampshire, Oregon, Rhode Island, South Carolina, Texas, Vermont, and Washington, per aggregator tracking. Those state filings may produce additional enforcement activity or resident-specific notifications.
What to do
- Freeze your credit at Equifax, Experian, and TransUnion. Social Security numbers, driver’s license numbers, and financial account data were all in scope. A freeze is free, reversible, and materially more protective than monitoring alone.
- Enroll in the offered credit monitoring. Use the enrollment code in your individual notification letter and call 1-833-998-6327 before the deadline in your letter.
- If your child was a patient, place a credit freeze in the child’s name at all three bureaus. Synthetic-identity-theft using a minor’s SSN often goes undetected until the child applies for credit or student loans as an adult.
- File IRS Form 14039 (Identity Theft Affidavit) if your Social Security number was confirmed exposed. This alerts the IRS and helps prevent fraudulent tax returns filed in your name.
- Watch for dental billing and insurance fraud. Because medical and health insurance information was exposed, review every Explanation of Benefits from your dental insurer. Request a copy of your record from your insurer if you see procedures you did not receive.
- Treat unexpected outreach from dental providers with skepticism. An attacker with mailbox-level access has the context (provider name, appointment dates, billing amounts) to craft convincing follow-on phishing or invoice-fraud lures by phone or email.
- Decide whether to join the class action. If a settlement is reached, the administrator will mail a class notice with claim instructions. You do not need to retain a lawyer or pay any fee in advance to receive a settlement payment.
Stop the ongoing flow of your dental and pediatric health data. HealthConsent files HIPAA restriction requests so the medical, insurance, and personal information exposed in this breach is not continuously re-shared across the dental practice networks, insurers, and billing vendors that Chord and its affiliated practices use.
Continue reading
- Your HIPAA Rights — how to request an accounting of disclosures and limit future sharing
- All tracked healthcare breaches
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- HIPAA Journal — 173,000 Patients Affected by Chord Specialty Dental Partners Email Data Breach
- SecurityWeek — 170,000 Impacted by Data Breach at Chord Specialty Dental Partners
- Pediatric Dental Associates — Notification of Data Security Incident (official substitute notice)
- JDSupra / Console and Associates, P.C. — Chord Specialty Dental Partners Data Breach Results in as Many as 173,430 Leaked Social Security Numbers
- DataBreaches.net — Data Breach Lawsuits Against Chord Specialty Dental Partners Consolidated
- ClassAction.org — Chord Specialty Dental Partners Data Breach Lawsuit Investigation
- Bloomberg Law — Chord Dental Hit by Seven Class Actions Over 2024 Data Breach (dockets: 3:25-cv-00371, 3:25-cv-00380, 3:25-cv-00379, 3:25-cv-00382, 2:25-cv-02186, 2:25-cv-02453, 5:25-cv-02482)
- PR Newswire / Edelson Lechtzin LLP — Data Breach Alert Investigation Announcement (April 4, 2025)
- HIPAA E-Tool — Chord Dental Slammed With Lawsuits After Hack Affects 173,400 (practice-type detail, state AG filing context)
- ClaimDepot — Chord Dental Data Breach (14 state AG filings listed: CA, IA, ME, MA, MT, NE, NH, OR, RI, SC, TX, VT, WA)
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.