Community Dental Care Data Breach 2025: 134,903 Patients of Minnesota's Largest Nonprofit Medicaid Dental Provider Notified After December 2024 Network Intrusion
Community Dental Care, Inc., the largest nonprofit Medicaid dental provider in Minnesota, confirmed that an unauthorized actor accessed its network on or about December 6, 2024. Names, Social Security numbers, driver's license and passport numbers, medical information, and health-insurance details for 134,903 individuals were exposed. Notification mailings and a HIPAA filing followed on March 28, 2025.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Dec 6, 2024
Unauthorized actor accesses Community Dental Care's network
Dec 20, 2024
Suspicious activity identified in CDC's computer system; systems taken offline and forensics engaged
Mar 24, 2025
Document and file review concludes, establishing the population of affected individuals
Mar 28, 2025
HIPAA breach notification filed with HHS Office for Civil Rights; individual notification letters mailed; substitute notice posted
Mar 28, 2025
OCR portal entry posted reporting 134,903 affected and a Hacking/IT Incident at Network Server
Jun 28, 2025
Enrollment deadline for IDX complimentary identity-protection services offered by CDC
Dec 6, 2024
Unauthorized actor accesses Community Dental Care's network
Dec 20, 2024
Suspicious activity identified in CDC's computer system; systems taken offline and forensics engaged
Mar 24, 2025
Document and file review concludes, establishing the population of affected individuals
Mar 28, 2025
HIPAA breach notification filed with HHS Office for Civil Rights; individual notification letters mailed; substitute notice posted
Mar 28, 2025
OCR portal entry posted reporting 134,903 affected and a Hacking/IT Incident at Network Server
Jun 28, 2025
Enrollment deadline for IDX complimentary identity-protection services offered by CDC
Data exposed
01
High-risk identity
Enables financial + identity theft
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Community Dental Care, Inc., a Minnesota nonprofit founded in 2004 that operates five clinics and serves roughly 110,000 patient visits a year as the state’s largest nonprofit Medicaid dental provider, has confirmed that an unauthorized actor accessed its network on or about December 6, 2024. Suspicious activity was identified on December 20, 2024, and a months-long document-and-file review concluded on March 24, 2025 that the personal and health information of 134,903 individuals had been exposed. The HIPAA breach notification was filed with the U.S. Department of Health and Human Services Office for Civil Rights on March 28, 2025, the same day individual notification letters were mailed.
Timeline
- December 6, 2024 — Unauthorized actor accesses CDC’s network.
- December 20, 2024 — CDC identifies suspicious activity in its computer system, takes systems offline to stop the activity, and engages third-party forensic experts.
- March 24, 2025 — Document review concludes, establishing the 134,903-person affected population.
- March 28, 2025 — CDC files its HIPAA breach notification with HHS OCR (Hacking/IT Incident at Network Server, 134,903 affected), mails individual notification letters, and posts substitute notice. The incident is also reported to the FBI and to the three nationwide consumer reporting agencies.
- June 28, 2025 — Enrollment deadline for the complimentary IDX identity-protection services offered to eligible notified individuals.
What was exposed
Per CDC’s own notice, the data elements potentially exposed include:
- Name
- Address
- Date of birth
- Social Security number
- Driver’s license number or other government-issued identification number
- Passport number
- Medical information
- Health insurance information
CDC stated it had “no evidence of any actual or suspected misuse” of the compromised information at the time of disclosure. Notification letters indicate that data belonging to both employees and patients may have been exposed, not solely patients. No ransomware group has publicly claimed the intrusion in the sources reviewed. CDC separately reported the incident to the FBI and to the three nationwide consumer reporting agencies.
Sensitive-population considerations
Community Dental Care serves a population that is meaningfully more exposed to the downstream harms of an SSN-plus-government-ID-plus-health-insurance breach than the average dental-practice patient list:
- Medicaid enrollees and low-income households. CDC describes itself as the largest nonprofit Medicaid dental provider in Minnesota. A large share of the 134,903 affected patients are likely Medicaid recipients, for whom an out-of-pocket loss to identity theft is materially harder to absorb and for whom a fraudulent line of credit can disrupt benefits-eligibility verification.
- Children. Pediatric dental visits drive a significant portion of community dental volume, which means a meaningful slice of the affected SSNs likely belong to minors. A child’s SSN paired with an attacker-supplied date of birth can support synthetic-identity fraud for years before the child first applies for credit, and is rarely detected by standard adult credit monitoring.
- Non-English-speaking and immigrant patients. Passport numbers were among the exposed fields, which is uncommon in dental-clinic data sets and points to a patient base that includes recent arrivals and visa holders for whom passport-number misuse can carry immigration-status risk beyond ordinary identity theft.
For these populations, freezing credit at all three bureaus, requesting a free annual credit report for each minor in the household, and watching for unfamiliar mail from federal benefits programs are more protective than monitoring alone.
Class-action posture
As of the most recent sources reviewed, no federal class-action complaint had been publicly docketed against Community Dental Care, Inc. in the District of Minnesota. Two plaintiff-side firms opened public investigations: Strauss Borrelli PLLC and Migliaccio & Rathod LLP both announced investigations in early April 2025 and solicited affected individuals. ClassAction.org’s tracking page for the incident was subsequently marked as having concluded its investigation, without reporting a filed case caption or settlement.
The HHS OCR portal entry remains open. No regulatory action, consent decree, or resolution agreement has been publicly announced.
What the entity is offering
CDC offered complimentary identity-protection services through IDX to eligible notified individuals. Per the notice letter filed with multiple state attorneys general, the IDX package includes:
- 24 months of credit monitoring and CyberScan dark-web monitoring
- $1,000,000 identity theft insurance reimbursement policy
- Fully managed identity theft recovery services
The enrollment deadline communicated in the entity’s notice was June 28, 2025 (now passed). Affected individuals who missed the deadline should still contact IDX directly or call the dedicated CDC toll-free line to inquire about any residual enrollment options.
A dedicated toll-free call center (1-877-417-6430), operating Monday through Friday from 8 a.m. to 8 p.m. Central Time, was made available for questions.
What to do if you may be affected
- Freeze your credit with Equifax, Experian, and TransUnion. Because Social Security numbers, driver’s-license numbers, and passport numbers were all exposed, a security freeze is materially more protective than monitoring alone. It is free and reversible.
- Contact IDX about enrollment. The June 28, 2025 deadline has passed. Call 1-877-417-6430 Monday through Friday, 8 a.m. to 8 p.m. Central Time to ask whether residual enrollment options remain available for your notification code. If you are already enrolled, activate the credit monitoring component separately — activation is required to make monitoring effective.
- File IRS Form 14039 (Identity Theft Affidavit) if you are concerned about tax-refund fraud. Social Security numbers for both patients and employees were in scope.
- Check your minor children’s credit. If a child in your household was a CDC patient, request a free annual credit report for that child from each bureau. A clean report for a minor with no credit history should show “no file”; anything else is a red flag. Freeze the child’s credit at all three bureaus: synthetic-identity fraud using a child’s SSN may not surface until the child first applies for credit years later.
- Watch your benefits mail. If you or a household member is a Medicaid enrollee, treat unexpected eligibility-related mail, calls, or text messages with skepticism and verify directly through your county or MNsure account.
- Be alert to passport-misuse signals. Unexpected correspondence from USCIS, the State Department, or any entity referencing travel or visa status warrants a direct call to the issuing agency through a phone number you look up independently. Passport numbers are uncommon in dental-practice data sets and suggest a patient base that includes recent arrivals and visa holders for whom passport misuse carries immigration-status risk beyond ordinary identity theft.
- Stop the ongoing flow of your dental and health data. HealthConsent files HIPAA restriction requests so the dental-treatment history, health insurance information, and personal identifiers exposed in this breach are not continuously re-shared across insurance networks, billing clearinghouses, and third-party data brokers.
Regulatory filings
CDC filed breach notifications with at least 14 state attorneys general in addition to HHS OCR. State portals confirmed to have received filings include California, Iowa, Maine, Massachusetts (case 2025-578, filed April 2, 2025), Montana, Nebraska, New Hampshire, Oregon, Rhode Island, South Carolina, Texas, Vermont, and Washington. This breadth of multi-state AG notice is consistent with the affected population of 134,903 individuals spanning multiple states.
Continue reading
- Your HIPAA Rights — how to request restrictions on your dental and health records
- All tracked healthcare breaches
Sources
- HHS Office for Civil Rights Breach Portal — federal regulatory record (filing dated 2025-03-28; 134,903 affected; Hacking/IT Incident at Network Server).
- Community Dental Care, Inc. — Notice Following Data Security Incident — entity’s own substitute notice, including timeline, exposed-data list, IDX enrollment deadline, and call-center number.
- BankInfoSecurity — Minnesota Dental Clinic Notifying 135,000 of 2024 Hack — confirms 134,903 affected, organizational scale (five clinics, ~110,000 visits/year, largest nonprofit Medicaid dental provider in Minnesota), and the early-stage plaintiff-firm investigation posture.
- Strauss Borrelli PLLC — Community Dental Care Data Breach Investigation — plaintiff-side investigation announcement; mirrors the entity’s timeline and exposed-data list.
- ClassAction.org — Community Dental Care Data Breach Lawsuit Investigation — confirms unauthorized-access date, discovery date, review-completion date, and that employee data as well as patient data was exposed; notes the investigation concluded without a publicly tracked filed case.
- Becker’s Dental Review — 15 data breaches that impacted dentistry in 2025 — independent industry trade press confirmation that CDC suffered a 2025 patient-data breach across its five Minnesota clinics.
- Massachusetts Attorney General — Data Breach Notification Letters April 2025 (case 2025-578) — state AG filing confirmation; breach first reported to Massachusetts AG on April 2, 2025.
- ClaimDepot — Community Dental Care Data Breach Summary — aggregates multi-state AG filing confirmations and IDX coverage details (24 months, $1M policy, CyberScan monitoring) sourced from the notice letter.
- Migliaccio & Rathod LLP — Community Dental Care, Inc. Data Breach Investigation — second plaintiff-firm investigation announcement; confirms attacker “stolen” characterization per the firm.
- HIPAA Journal — March 2025 Healthcare Data Breach Report — independent trade-press listing confirming CDC among March 2025 OCR breach filings.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- Community Dental Care, Inc. — Notice Following Data Security Incident (PR Newswire)
- BankInfoSecurity — Minnesota Dental Clinic Notifying 135,000 of 2024 Hack
- Strauss Borrelli PLLC — Community Dental Care Data Breach Investigation
- ClassAction.org — Community Dental Care Data Breach Lawsuit Investigation
- Becker's Dental Review — 15 data breaches that impacted dentistry in 2025
- Massachusetts Attorney General — Data Breach Notification Letters April 2025 (case 2025-578)
- ClaimDepot — Community Dental Care Data Breach Summary (AG filings, IDX coverage details)
- Migliaccio & Rathod LLP — Community Dental Care, Inc. Data Breach Investigation
- HIPAA Journal — March 2025 Healthcare Data Breach Report
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.