Active breach tracker Minnesota Disclosed March 28, 2025

Community Dental Care Data Breach 2025: 134,903 Patients of Minnesota's Largest Nonprofit Medicaid Dental Provider Notified After December 2024 Network Intrusion

Community Dental Care, Inc., the largest nonprofit Medicaid dental provider in Minnesota, confirmed that an unauthorized actor accessed its network on or about December 6, 2024. Names, Social Security numbers, driver's license and passport numbers, medical information, and health-insurance details for 134,903 individuals were exposed. Notification mailings and a HIPAA filing followed on March 28, 2025.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Dec 6, 2024

Unauthorized actor accesses Community Dental Care's network

Dec 20, 2024

Suspicious activity identified in CDC's computer system; systems taken offline and forensics engaged

Mar 24, 2025

Document and file review concludes, establishing the population of affected individuals

Mar 28, 2025

HIPAA breach notification filed with HHS Office for Civil Rights; individual notification letters mailed; substitute notice posted

Mar 28, 2025

OCR portal entry posted reporting 134,903 affected and a Hacking/IT Incident at Network Server

Jun 28, 2025

Enrollment deadline for IDX complimentary identity-protection services offered by CDC

Data exposed

01

High-risk identity

Enables financial + identity theft

Social Security numbers Driver's license or other government-issued identification numbers Passport numbers

03

Contact & insurance

Phishing + targeted scams

Names Addresses Dates of birth Medical information Health insurance information

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Strauss Borrelli PLLC (investigating) Migliaccio & Rathod LLP (investigating)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Community Dental Care, Inc., a Minnesota nonprofit founded in 2004 that operates five clinics and serves roughly 110,000 patient visits a year as the state’s largest nonprofit Medicaid dental provider, has confirmed that an unauthorized actor accessed its network on or about December 6, 2024. Suspicious activity was identified on December 20, 2024, and a months-long document-and-file review concluded on March 24, 2025 that the personal and health information of 134,903 individuals had been exposed. The HIPAA breach notification was filed with the U.S. Department of Health and Human Services Office for Civil Rights on March 28, 2025, the same day individual notification letters were mailed.

Timeline

  • December 6, 2024 — Unauthorized actor accesses CDC’s network.
  • December 20, 2024 — CDC identifies suspicious activity in its computer system, takes systems offline to stop the activity, and engages third-party forensic experts.
  • March 24, 2025 — Document review concludes, establishing the 134,903-person affected population.
  • March 28, 2025 — CDC files its HIPAA breach notification with HHS OCR (Hacking/IT Incident at Network Server, 134,903 affected), mails individual notification letters, and posts substitute notice. The incident is also reported to the FBI and to the three nationwide consumer reporting agencies.
  • June 28, 2025 — Enrollment deadline for the complimentary IDX identity-protection services offered to eligible notified individuals.

What was exposed

Per CDC’s own notice, the data elements potentially exposed include:

  • Name
  • Address
  • Date of birth
  • Social Security number
  • Driver’s license number or other government-issued identification number
  • Passport number
  • Medical information
  • Health insurance information

CDC stated it had “no evidence of any actual or suspected misuse” of the compromised information at the time of disclosure. Notification letters indicate that data belonging to both employees and patients may have been exposed, not solely patients. No ransomware group has publicly claimed the intrusion in the sources reviewed. CDC separately reported the incident to the FBI and to the three nationwide consumer reporting agencies.

Sensitive-population considerations

Community Dental Care serves a population that is meaningfully more exposed to the downstream harms of an SSN-plus-government-ID-plus-health-insurance breach than the average dental-practice patient list:

  • Medicaid enrollees and low-income households. CDC describes itself as the largest nonprofit Medicaid dental provider in Minnesota. A large share of the 134,903 affected patients are likely Medicaid recipients, for whom an out-of-pocket loss to identity theft is materially harder to absorb and for whom a fraudulent line of credit can disrupt benefits-eligibility verification.
  • Children. Pediatric dental visits drive a significant portion of community dental volume, which means a meaningful slice of the affected SSNs likely belong to minors. A child’s SSN paired with an attacker-supplied date of birth can support synthetic-identity fraud for years before the child first applies for credit, and is rarely detected by standard adult credit monitoring.
  • Non-English-speaking and immigrant patients. Passport numbers were among the exposed fields, which is uncommon in dental-clinic data sets and points to a patient base that includes recent arrivals and visa holders for whom passport-number misuse can carry immigration-status risk beyond ordinary identity theft.

For these populations, freezing credit at all three bureaus, requesting a free annual credit report for each minor in the household, and watching for unfamiliar mail from federal benefits programs are more protective than monitoring alone.

Class-action posture

As of the most recent sources reviewed, no federal class-action complaint had been publicly docketed against Community Dental Care, Inc. in the District of Minnesota. Two plaintiff-side firms opened public investigations: Strauss Borrelli PLLC and Migliaccio & Rathod LLP both announced investigations in early April 2025 and solicited affected individuals. ClassAction.org’s tracking page for the incident was subsequently marked as having concluded its investigation, without reporting a filed case caption or settlement.

The HHS OCR portal entry remains open. No regulatory action, consent decree, or resolution agreement has been publicly announced.

What the entity is offering

CDC offered complimentary identity-protection services through IDX to eligible notified individuals. Per the notice letter filed with multiple state attorneys general, the IDX package includes:

  • 24 months of credit monitoring and CyberScan dark-web monitoring
  • $1,000,000 identity theft insurance reimbursement policy
  • Fully managed identity theft recovery services

The enrollment deadline communicated in the entity’s notice was June 28, 2025 (now passed). Affected individuals who missed the deadline should still contact IDX directly or call the dedicated CDC toll-free line to inquire about any residual enrollment options.

A dedicated toll-free call center (1-877-417-6430), operating Monday through Friday from 8 a.m. to 8 p.m. Central Time, was made available for questions.

What to do if you may be affected

  1. Freeze your credit with Equifax, Experian, and TransUnion. Because Social Security numbers, driver’s-license numbers, and passport numbers were all exposed, a security freeze is materially more protective than monitoring alone. It is free and reversible.
  2. Contact IDX about enrollment. The June 28, 2025 deadline has passed. Call 1-877-417-6430 Monday through Friday, 8 a.m. to 8 p.m. Central Time to ask whether residual enrollment options remain available for your notification code. If you are already enrolled, activate the credit monitoring component separately — activation is required to make monitoring effective.
  3. File IRS Form 14039 (Identity Theft Affidavit) if you are concerned about tax-refund fraud. Social Security numbers for both patients and employees were in scope.
  4. Check your minor children’s credit. If a child in your household was a CDC patient, request a free annual credit report for that child from each bureau. A clean report for a minor with no credit history should show “no file”; anything else is a red flag. Freeze the child’s credit at all three bureaus: synthetic-identity fraud using a child’s SSN may not surface until the child first applies for credit years later.
  5. Watch your benefits mail. If you or a household member is a Medicaid enrollee, treat unexpected eligibility-related mail, calls, or text messages with skepticism and verify directly through your county or MNsure account.
  6. Be alert to passport-misuse signals. Unexpected correspondence from USCIS, the State Department, or any entity referencing travel or visa status warrants a direct call to the issuing agency through a phone number you look up independently. Passport numbers are uncommon in dental-practice data sets and suggest a patient base that includes recent arrivals and visa holders for whom passport misuse carries immigration-status risk beyond ordinary identity theft.
  7. Stop the ongoing flow of your dental and health data. HealthConsent files HIPAA restriction requests so the dental-treatment history, health insurance information, and personal identifiers exposed in this breach are not continuously re-shared across insurance networks, billing clearinghouses, and third-party data brokers.

Regulatory filings

CDC filed breach notifications with at least 14 state attorneys general in addition to HHS OCR. State portals confirmed to have received filings include California, Iowa, Maine, Massachusetts (case 2025-578, filed April 2, 2025), Montana, Nebraska, New Hampshire, Oregon, Rhode Island, South Carolina, Texas, Vermont, and Washington. This breadth of multi-state AG notice is consistent with the affected population of 134,903 individuals spanning multiple states.

Continue reading

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.