Active breach tracker Nashville, Tennessee Disclosed March 14, 2025

Chord Specialty Dental Partners Data Breach 2025: 173,430 Tennessee DSO Patients Exposed in Employee Email Compromise. Seven Federal Class Actions Filed. What To Do

CDHA Management and Spark DSO, dba Chord Specialty Dental Partners, disclosed in March 2025 that hackers accessed employee email accounts from August to September 2024, exposing SSNs, financial data, and medical records for 173,430 individuals. Seven federal class actions are pending. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Aug 19, 2024

Unauthorized access to Chord employee email accounts begins

Sep 11, 2024

Suspicious activity identified in an employee email account; third-party digital forensics engaged

Sep 25, 2024

Unauthorized access window closes

Mar 14, 2025

HIPAA breach notification filed with HHS OCR; individual notification letters begin mailing

Mar 14, 2025

OCR portal entry posted listing 173,430 affected individuals

Apr 4, 2025

Edelson Lechtzin LLP announces investigation on behalf of affected individuals

May 16, 2025

Bloomberg Law reports at least seven federal class actions pending in M.D. Tenn. and E.D. Pa.

May 24, 2025

Multiple proposed class actions reported as consolidated

Data exposed

01

High-risk identity

Enables financial + identity theft

Social Security numbers Driver's license numbers

03

Contact & insurance

Phishing + targeted scams

Full names Addresses Bank account information Payment card information Dates of birth Medical information Health insurance information

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Console and Associates, P.C. Strauss Borrelli PLLC Murphy Law Firm Levi & Korsinsky, LLP Federman & Sherwood The Lyon Firm Edelson Lechtzin LLP
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

What happened

CDHA Management, LLC and Spark DSO, LLC, the Nashville, Tennessee-based dental support organization doing business as Chord Specialty Dental Partners, disclosed on March 14, 2025, that an unauthorized party accessed several employee email accounts between August 19 and September 25, 2024. The intrusion was identified on September 11, 2024, when suspicious activity surfaced in a single employee mailbox. A third-party forensic review determined that the actor had reached multiple accounts containing protected health information for 173,430 individuals. Notification letters began mailing on March 14, 2025, the same date the entity reported the incident to the HHS Office for Civil Rights.

Chord is a multi-specialty dental support organization that provides HR, finance, and other administrative and operational services to more than 60 affiliated dental practices and 10 group practices across Tennessee, Indiana, Pennsylvania, New Jersey, Virginia, and Delaware. Its affiliated practices include pediatric dentistry, orthodontics, oral surgery, and ambulatory surgery centers. The organization rebranded from Spark Dental Management to Chord Specialty Dental Partners in April 2024 and has continued to expand since the breach disclosure, announcing new practice affiliations through 2025.

The incident vector was an email-account compromise, characteristic of credential phishing or business email compromise, rather than a network-wide ransomware deployment. No threat actor has been publicly attributed. Chord stated it found “no evidence to suggest that any information has been or will be fraudulently misused,” but proceeded with notification because it could not rule out unauthorized access to the PHI in the affected mailboxes.

What was stolen

The information involved varies by individual and may include a name combined with one or more of the following, per Chord’s own breach notice and the affiliated Pediatric Dental Associates substitute notice:

  • Address
  • Social Security number
  • Driver’s license number
  • Bank account information
  • Payment card information
  • Date of birth
  • Medical information
  • Health insurance information

Affiliated practices including Philadelphia-based Pediatric Dental Associates posted substitute notices on their own websites referencing the same Chord-administered incident, indicating that the affected population spans the multi-state network of Chord-supported clinics. Because many Chord-affiliated practices serve pediatric patients (infants through adolescents), SSNs exposed for minors carry a heightened synthetic-identity-theft risk that may not surface for years. Parents who received a notification letter about their child should consider placing a credit freeze at all three bureaus in the child’s name.

What Chord is offering

Chord is offering complimentary credit monitoring and identity-theft protection services to individuals who receive notification letters. The substitute notice posted by Pediatric Dental Associates directs affected individuals to enroll by calling the breach response line at 1-833-998-6327 (Monday through Friday, 8 AM to 8 PM ET) and references an enrollment code in the individual notification letter.

The specific monitoring vendor name and enrollment duration are not stated in any publicly available substitute notice reviewed as of this page’s last update. If you received a letter, use the enrollment code before the deadline printed in that letter.

Class actions

At least seven proposed federal class actions were pending across two courts as of mid-May 2025, according to Bloomberg Law. The cases are filed in the Middle District of Tennessee and the Eastern District of Pennsylvania, with docket numbers 3:25-cv-00371, 3:25-cv-00380, 3:25-cv-00379, 3:25-cv-00382, 2:25-cv-02186, 2:25-cv-02453, and 5:25-cv-02482. By late May 2025, DataBreaches.net reported that the proposed class actions had been consolidated.

Firms that have publicly announced investigations or filed cases include Console and Associates, P.C.; Strauss Borrelli PLLC; Murphy Law Firm; Levi & Korsinsky, LLP; Federman & Sherwood; The Lyon Firm; and Edelson Lechtzin LLP. The complaints generally allege negligence, breach of implied contract, and violations of state consumer-protection statutes, pointing in particular to the roughly six-month gap between intrusion containment (September 2024) and individual notification (March 2025).

Chord has also filed breach notices with at least 14 state attorneys general: California, Iowa, Maine, Massachusetts, Montana, Nebraska, New Hampshire, Oregon, Rhode Island, South Carolina, Texas, Vermont, and Washington, per aggregator tracking. Those state filings may produce additional enforcement activity or resident-specific notifications.

What to do

  1. Freeze your credit at Equifax, Experian, and TransUnion. Social Security numbers, driver’s license numbers, and financial account data were all in scope. A freeze is free, reversible, and materially more protective than monitoring alone.
  2. Enroll in the offered credit monitoring. Use the enrollment code in your individual notification letter and call 1-833-998-6327 before the deadline in your letter.
  3. If your child was a patient, place a credit freeze in the child’s name at all three bureaus. Synthetic-identity-theft using a minor’s SSN often goes undetected until the child applies for credit or student loans as an adult.
  4. File IRS Form 14039 (Identity Theft Affidavit) if your Social Security number was confirmed exposed. This alerts the IRS and helps prevent fraudulent tax returns filed in your name.
  5. Watch for dental billing and insurance fraud. Because medical and health insurance information was exposed, review every Explanation of Benefits from your dental insurer. Request a copy of your record from your insurer if you see procedures you did not receive.
  6. Treat unexpected outreach from dental providers with skepticism. An attacker with mailbox-level access has the context (provider name, appointment dates, billing amounts) to craft convincing follow-on phishing or invoice-fraud lures by phone or email.
  7. Decide whether to join the class action. If a settlement is reached, the administrator will mail a class notice with claim instructions. You do not need to retain a lawyer or pay any fee in advance to receive a settlement payment.

Stop the ongoing flow of your dental and pediatric health data. HealthConsent files HIPAA restriction requests so the medical, insurance, and personal information exposed in this breach is not continuously re-shared across the dental practice networks, insurers, and billing vendors that Chord and its affiliated practices use.

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.