Delta Dental of Virginia Data Breach 2025 (Email Compromise): 126,953 Dental Plan Members Affected. Five Class Actions Filed. What To Do
Delta Dental of Virginia disclosed a March-April 2025 email compromise affecting 126,953 individuals. Names, Social Security numbers, government-issued IDs, and protected health information were potentially accessed. Notification letters mailed November 21, 2025. Five class-action lawsuits followed in December 2025. Here is what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Mar 21, 2025
Unauthorized access to a single Delta Dental of Virginia employee email account begins (per forensic review)
Apr 23, 2025
Suspicious activity detected on the email account; account secured the same day and independent cybersecurity experts engaged
Nov 21, 2025
Individual notification letters mailed; HHS OCR breach filing submitted (126,953 affected; Hacking/IT Incident at Email); state AGs in California, Texas, Maine, Massachusetts, New Hampshire, South Carolina, Vermont, Oregon, Rhode Island, Montana, Nebraska, Washington, and Iowa notified
Nov 21, 2025
Disclosed publicly
Dec 1, 2025
At least five proposed class-action lawsuits filed in the U.S. District Court for the Western District of Virginia, Roanoke Division; Jones v. Delta Dental of Virginia (No. 7:25-cv-00904) is the earliest confirmed docket, filed December 8, 2025, assigned to Judge Robert S. Ballou
Mar 21, 2025
Unauthorized access to a single Delta Dental of Virginia employee email account begins (per forensic review)
Apr 23, 2025
Suspicious activity detected on the email account; account secured the same day and independent cybersecurity experts engaged
Nov 21, 2025
Individual notification letters mailed; HHS OCR breach filing submitted (126,953 affected; Hacking/IT Incident at Email); state AGs in California, Texas, Maine, Massachusetts, New Hampshire, South Carolina, Vermont, Oregon, Rhode Island, Montana, Nebraska, Washington, and Iowa notified
Nov 21, 2025
Disclosed publicly
Dec 1, 2025
At least five proposed class-action lawsuits filed in the U.S. District Court for the Western District of Virginia, Roanoke Division; Jones v. Delta Dental of Virginia (No. 7:25-cv-00904) is the earliest confirmed docket, filed December 8, 2025, assigned to Judge Robert S. Ballou
Data exposed
01
High-risk identity
Enables financial + identity theft
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
What happened
Delta Dental of Virginia, headquartered at 5415 Airport Road in Roanoke, is Virginia’s largest dental benefits provider, serving more than two million members since 1964. It administers dental and vision plans for individuals and employer groups across the Commonwealth, including Medicaid dental coverage for full-coverage Medicaid members in Virginia.
On April 23, 2025, the company detected suspicious activity on a single employee email account and secured it the same day. An investigation by independent cybersecurity experts determined that an unauthorized third party had access to that account and to certain emails and attachments stored within it between March 21 and April 23, 2025. The company notified HHS OCR on November 21, 2025, reporting 126,953 affected individuals as a Hacking/IT Incident at Email. Its own substitute notice to affected individuals cited a higher figure of 145,918. That discrepancy has not been publicly reconciled. The roughly seven-month gap between the April 23 detection date and the November 21 notification date is the central allegation in the class-action complaints that followed.
Filings with at least 13 state attorneys general documented the geographic spread: Texas (2,374 residents), South Carolina (1,413), Massachusetts (628), Maine (222), and New Hampshire (169), with additional filings in California, Vermont, Oregon, Rhode Island, Montana, Nebraska, Washington, and Iowa.
Timeline
- March 21, 2025. Unauthorized access to a Delta Dental of Virginia employee email account begins, per the forensic review.
- April 23, 2025. Delta Dental of Virginia detects suspicious activity, secures the account the same day, and engages independent cybersecurity experts.
- November 21, 2025. Individual notification letters mailed. HHS OCR breach filing submitted (126,953 affected; Hacking/IT Incident at Email). State AG notifications made to California, Texas, Maine, Massachusetts, New Hampshire, South Carolina, Vermont, Oregon, Rhode Island, Montana, Nebraska, Washington, and Iowa simultaneously.
- December 8, 2025. Jones v. Delta Dental of Virginia (No. 7:25-cv-00904) filed in the U.S. District Court for the Western District of Virginia. At least four additional class-action complaints follow in December 2025.
What was exposed
Per Delta Dental of Virginia’s own substitute notice, the following data elements may have been involved, varying by individual:
- Full name
- Social Security number
- State or federal government-issued identification number
- Protected health information
The Texas AG filing, as reported by ClassAction.org, adds addresses, driver’s license numbers, financial information, and medical and health insurance information to the list of potentially exposed elements for some individuals. Delta Dental of Virginia states it has no evidence of misuse or attempted misuse of any of the impacted information.
The data sat inside an email account rather than a structured claims database. Exposure was attachment-driven and individual-specific. There is no public confirmation that the entire notification population was uniformly exposed to every data category. Your specific notification letter identifies the elements that applied to you.
What Delta Dental of Virginia is offering
Delta Dental of Virginia is offering 12 months of complimentary credit monitoring, dark-web monitoring, and identity theft protection services through TransUnion to individuals whose Social Security numbers or driver’s license numbers were potentially compromised. A $1 million identity theft and fraud reimbursement insurance policy is bundled with those services.
Enrollment instructions and an activation code are included in the mailed notification letter. The dedicated call center is 1-833-303-6496, Monday through Friday, 8:00 a.m. to 8:00 p.m. Eastern.
Class actions
At least five proposed class-action complaints were filed in December 2025 in the U.S. District Court for the Western District of Virginia, Roanoke Division. The earliest confirmed docket is Jones v. Delta Dental of Virginia (No. 7:25-cv-00904), filed December 8, 2025 and assigned to District Judge Robert S. Ballou. The complaints allege that Delta Dental of Virginia failed to implement reasonable email security controls and that the approximately seven-month gap between detection on April 23, 2025 and individual notification on November 21, 2025 exceeded both HIPAA’s 60-day breach-notification window and analogous state-law requirements.
Firms publicly investigating or soliciting affected individuals include Mason LLP, Almeida Law Group, Schubert Jonckheer & Kolbe LLP, Lynch Carpenter LLP, Murphy Law Firm, and Emery Reddy PC. Consolidation of the cases or any class certification ruling has not been publicly reported as of the date of this page’s last update.
What to do
If you received a notification letter from Delta Dental of Virginia or believe you were enrolled in a Delta Dental of Virginia plan in 2024 or 2025:
- Enroll in the complimentary TransUnion credit monitoring using the activation code in your letter. Coverage lasts 12 months and includes the $1 million identity theft reimbursement policy. Call 1-833-303-6496 if you did not receive a letter and believe you are affected.
- Freeze your credit at Equifax, Experian, and TransUnion. It is free, takes about ten minutes per bureau, and is the highest-leverage step against new-account identity theft. A freeze does not affect your ability to use existing accounts.
- File IRS Form 14039 if your Social Security number was exposed. This places a flag on your account to help the IRS detect fraudulent tax returns filed in your name.
- Watch for dental and medical identity misuse. Review Explanation of Benefits statements from Delta Dental of Virginia and any other insurer, and request your dental record summary if you suspect services you did not receive.
- Be alert for targeted phishing referencing Delta Dental of Virginia, the breach response, or credit monitoring sign-up. Confirm any outreach through the official hotline at 1-833-303-6496 rather than links in unsolicited messages.
- Keep your notification letter. It documents the specific data elements exposed for you and is the cleanest record for disputing fraudulent activity, filing an insurance claim, or joining one of the pending class actions.
- Stop the ongoing flow of your dental and health insurance data. HealthConsent files HIPAA restriction requests so the protected health information exposed in this breach is not continuously re-shared across dental benefit networks and insurance data exchanges.
Continue reading
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- Delta Dental of Virginia - Notice of Data Security Incident (PDF, November 21, 2025)
- HIPAA Journal - Delta Dental of Virginia Data Breach Affects 146,000 Individuals
- Security Affairs - Delta Dental of Virginia data breach impacts 145,918 customers
- WSLS 10 - Delta Dental facing legal action following data security incident
- ClassAction.org - Delta Dental of Virginia Data Breach Exposes Protected Health Info
- WDBJ7 - Delta Dental notifies customers of data breach
- HHS Office for Civil Rights Breach Portal
- PACER Monitor - Jones v. Delta Dental of Virginia (No. 7:25-cv-00904, W.D. Va., Dec. 8, 2025)
- Vermont Attorney General - Delta Dental of Virginia Data Breach Notice to Consumers (Nov. 21, 2025)
- California Attorney General - Data Security Breach List (Delta Dental of Virginia entry)
- ClaimDepot - Delta Dental of Virginia Data Breach Impacts 145,918 (state-by-state AG filings)
- Emery Reddy - Delta Dental of Virginia Data Breach (TransUnion credit monitoring confirmed)
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.