Active breach tracker Roanoke, Virginia Disclosed November 21, 2025

Delta Dental of Virginia Data Breach 2025 (Email Compromise): 126,953 Dental Plan Members Affected. Five Class Actions Filed. What To Do

Delta Dental of Virginia disclosed a March-April 2025 email compromise affecting 126,953 individuals. Names, Social Security numbers, government-issued IDs, and protected health information were potentially accessed. Notification letters mailed November 21, 2025. Five class-action lawsuits followed in December 2025. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Mar 21, 2025

Unauthorized access to a single Delta Dental of Virginia employee email account begins (per forensic review)

Apr 23, 2025

Suspicious activity detected on the email account; account secured the same day and independent cybersecurity experts engaged

Nov 21, 2025

Individual notification letters mailed; HHS OCR breach filing submitted (126,953 affected; Hacking/IT Incident at Email); state AGs in California, Texas, Maine, Massachusetts, New Hampshire, South Carolina, Vermont, Oregon, Rhode Island, Montana, Nebraska, Washington, and Iowa notified

Nov 21, 2025

Disclosed publicly

Dec 1, 2025

At least five proposed class-action lawsuits filed in the U.S. District Court for the Western District of Virginia, Roanoke Division; Jones v. Delta Dental of Virginia (No. 7:25-cv-00904) is the earliest confirmed docket, filed December 8, 2025, assigned to Judge Robert S. Ballou

Data exposed

01

High-risk identity

Enables financial + identity theft

Social Security number Driver's license number

03

Contact & insurance

Phishing + targeted scams

Full name State or federal government-issued identification number Financial information Protected health information (including medical and health insurance information)

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Mason LLP (investigating) Almeida Law Group (investigating) Schubert Jonckheer & Kolbe LLP (investigating) Lynch Carpenter LLP (investigating) Murphy Law Firm (investigating) Emery Reddy PC (investigating)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

What happened

Delta Dental of Virginia, headquartered at 5415 Airport Road in Roanoke, is Virginia’s largest dental benefits provider, serving more than two million members since 1964. It administers dental and vision plans for individuals and employer groups across the Commonwealth, including Medicaid dental coverage for full-coverage Medicaid members in Virginia.

On April 23, 2025, the company detected suspicious activity on a single employee email account and secured it the same day. An investigation by independent cybersecurity experts determined that an unauthorized third party had access to that account and to certain emails and attachments stored within it between March 21 and April 23, 2025. The company notified HHS OCR on November 21, 2025, reporting 126,953 affected individuals as a Hacking/IT Incident at Email. Its own substitute notice to affected individuals cited a higher figure of 145,918. That discrepancy has not been publicly reconciled. The roughly seven-month gap between the April 23 detection date and the November 21 notification date is the central allegation in the class-action complaints that followed.

Filings with at least 13 state attorneys general documented the geographic spread: Texas (2,374 residents), South Carolina (1,413), Massachusetts (628), Maine (222), and New Hampshire (169), with additional filings in California, Vermont, Oregon, Rhode Island, Montana, Nebraska, Washington, and Iowa.

Timeline

  • March 21, 2025. Unauthorized access to a Delta Dental of Virginia employee email account begins, per the forensic review.
  • April 23, 2025. Delta Dental of Virginia detects suspicious activity, secures the account the same day, and engages independent cybersecurity experts.
  • November 21, 2025. Individual notification letters mailed. HHS OCR breach filing submitted (126,953 affected; Hacking/IT Incident at Email). State AG notifications made to California, Texas, Maine, Massachusetts, New Hampshire, South Carolina, Vermont, Oregon, Rhode Island, Montana, Nebraska, Washington, and Iowa simultaneously.
  • December 8, 2025. Jones v. Delta Dental of Virginia (No. 7:25-cv-00904) filed in the U.S. District Court for the Western District of Virginia. At least four additional class-action complaints follow in December 2025.

What was exposed

Per Delta Dental of Virginia’s own substitute notice, the following data elements may have been involved, varying by individual:

  • Full name
  • Social Security number
  • State or federal government-issued identification number
  • Protected health information

The Texas AG filing, as reported by ClassAction.org, adds addresses, driver’s license numbers, financial information, and medical and health insurance information to the list of potentially exposed elements for some individuals. Delta Dental of Virginia states it has no evidence of misuse or attempted misuse of any of the impacted information.

The data sat inside an email account rather than a structured claims database. Exposure was attachment-driven and individual-specific. There is no public confirmation that the entire notification population was uniformly exposed to every data category. Your specific notification letter identifies the elements that applied to you.

What Delta Dental of Virginia is offering

Delta Dental of Virginia is offering 12 months of complimentary credit monitoring, dark-web monitoring, and identity theft protection services through TransUnion to individuals whose Social Security numbers or driver’s license numbers were potentially compromised. A $1 million identity theft and fraud reimbursement insurance policy is bundled with those services.

Enrollment instructions and an activation code are included in the mailed notification letter. The dedicated call center is 1-833-303-6496, Monday through Friday, 8:00 a.m. to 8:00 p.m. Eastern.

Class actions

At least five proposed class-action complaints were filed in December 2025 in the U.S. District Court for the Western District of Virginia, Roanoke Division. The earliest confirmed docket is Jones v. Delta Dental of Virginia (No. 7:25-cv-00904), filed December 8, 2025 and assigned to District Judge Robert S. Ballou. The complaints allege that Delta Dental of Virginia failed to implement reasonable email security controls and that the approximately seven-month gap between detection on April 23, 2025 and individual notification on November 21, 2025 exceeded both HIPAA’s 60-day breach-notification window and analogous state-law requirements.

Firms publicly investigating or soliciting affected individuals include Mason LLP, Almeida Law Group, Schubert Jonckheer & Kolbe LLP, Lynch Carpenter LLP, Murphy Law Firm, and Emery Reddy PC. Consolidation of the cases or any class certification ruling has not been publicly reported as of the date of this page’s last update.

What to do

If you received a notification letter from Delta Dental of Virginia or believe you were enrolled in a Delta Dental of Virginia plan in 2024 or 2025:

  1. Enroll in the complimentary TransUnion credit monitoring using the activation code in your letter. Coverage lasts 12 months and includes the $1 million identity theft reimbursement policy. Call 1-833-303-6496 if you did not receive a letter and believe you are affected.
  2. Freeze your credit at Equifax, Experian, and TransUnion. It is free, takes about ten minutes per bureau, and is the highest-leverage step against new-account identity theft. A freeze does not affect your ability to use existing accounts.
  3. File IRS Form 14039 if your Social Security number was exposed. This places a flag on your account to help the IRS detect fraudulent tax returns filed in your name.
  4. Watch for dental and medical identity misuse. Review Explanation of Benefits statements from Delta Dental of Virginia and any other insurer, and request your dental record summary if you suspect services you did not receive.
  5. Be alert for targeted phishing referencing Delta Dental of Virginia, the breach response, or credit monitoring sign-up. Confirm any outreach through the official hotline at 1-833-303-6496 rather than links in unsolicited messages.
  6. Keep your notification letter. It documents the specific data elements exposed for you and is the cleanest record for disputing fraudulent activity, filing an insurance claim, or joining one of the pending class actions.
  7. Stop the ongoing flow of your dental and health insurance data. HealthConsent files HIPAA restriction requests so the protected health information exposed in this breach is not continuously re-shared across dental benefit networks and insurance data exchanges.

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.