Active breach tracker Logan, UT Disclosed August 14, 2025

Dr. Doug's Pediatric Dentistry Data Breach 2025: 3,590 Pediatric Patients Exposed (Logan, UT). SSNs, Driver's Licenses, Medicaid, Dental Records. What To Do

Dr. Doug's Pediatric Dentistry in Logan, Utah filed a HIPAA breach with HHS OCR on August 11, 2025, affecting 3,590 current and former pediatric patients. A single employee email account was compromised; an investigation that began in September 2024 and concluded in June 2025 confirmed exposure of names, dates of birth, dental treatment records, Medicaid and dental insurance information, with Social Security numbers and driver's licenses exposed for a smaller subset. Strauss Borrelli PLLC has opened a class-action investigation. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Sep 1, 2024

Unusual activity detected in single employee email account; password reset and forensic investigation launched

Jun 1, 2025

Forensic review completed; exposed data elements confirmed

Aug 11, 2025

HIPAA breach filed with HHS OCR (3,590 affected)

Aug 14, 2025

Substitute notice published on practice website; mailed notification letters begin

Aug 14, 2025

Disclosed publicly

Aug 18, 2025

Strauss Borrelli PLLC opens class-action investigation

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number (limited subset) Driver's license number (limited subset)

02

Health records

Don't expire and can't be reissued

Dental diagnosis and treatment records

03

Contact & insurance

Phishing + targeted scams

Full name Medicaid information Dental insurance information

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Strauss Borrelli PLLC
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

What happened

Dr. Doug’s Pediatric Dentistry is a Logan, Utah pediatric dental practice offering operative dentistry, oral sedation, hospital anesthesia, and early orthodontics. In September 2024, the practice detected unusual activity in a single employee’s email account. The password was reset and a forensic investigation was launched. The investigation, completed in June 2025, confirmed that the compromise was confined to that one mailbox and no other systems or networks were affected. Investigators were not able to determine with certainty whether any specific email in the account was actually opened by the unauthorized party, so the practice notified out of an abundance of caution.

The practice filed a HIPAA breach notification with the HHS Office for Civil Rights on August 11, 2025, reporting 3,590 affected current and former patients. A substitute notice was published on the practice’s website and mailed notification letters began going out on August 14, 2025.

Timeline

  • September 2024 — Unusual activity flagged in one employee email account; password reset; forensic firm engaged.
  • June 2025 — Forensic review concludes. Specific exposed data elements identified.
  • August 11, 2025 — HHS OCR breach report filed: 3,590 individuals.
  • August 14, 2025 — Substitute notice posted; mailed letters begin.
  • August 18, 2025 — Strauss Borrelli PLLC announces class-action investigation.

What was exposed

Per the practice’s own substitute notice, the exposed information may include:

  • Name
  • Date of birth
  • Diagnosis or dental treatment information
  • Medicaid information
  • Dental insurance information

For a limited subset of individuals, the exposed information additionally included:

  • Social Security number
  • Driver’s license number

Not every data element was involved for every patient.

Why this matters more for pediatric patients

The overwhelming majority of Dr. Doug’s patient base is children. Pediatric Social Security number and Medicaid exposure is among the highest-severity categories of breach data because child identity theft typically goes undetected for years. Parents do not routinely monitor minor credit files, and most damage only surfaces when the child applies for their first credit card, student loan, lease, or job. By that point the synthetic-identity trail may be a decade deep.

Medicaid numbers are particularly attractive to medical identity thieves because they tie to public-benefit eligibility and can be used to bill fraudulent services in the child’s name — corrupting the medical record long before the family ever notices.

What Dr. Doug’s is offering

The practice’s notice does not include a complimentary identity-monitoring or credit-monitoring enrollment. Affected patients are instead directed to:

  • A dedicated toll-free call center: 833-594-5308, Monday to Friday, 7 a.m. to 7 p.m. Mountain Time
  • Generic recommendations to “remain vigilant” and review account statements
  • Generic recommendations to sign up for free credit monitoring “if offered” — but none is provided by the practice itself

The absence of practice-funded credit monitoring is notable given that Social Security numbers and driver’s license numbers were confirmed exposed for a subset of the 3,590 affected.

Class-action investigation

Strauss Borrelli PLLC announced a class-action investigation on August 18, 2025, soliciting affected individuals to discuss potential legal remedies. No class complaint has been publicly docketed as of this page’s last update — the matter remains in pre-suit investigation. We will update this page if and when a complaint is filed.

What to do if you may be affected

  1. Call 833-594-5308 to confirm whether your child is on the affected list and to request the specific data elements exposed for your child.
  2. Freeze your child’s credit at all three bureaus (Equifax, Experian, TransUnion). Minors require manual outreach with proof of guardianship — start the process today. A child credit freeze is the strongest available protection against synthetic identity theft.
  3. Freeze your own credit if you are the financially responsible party on the dental account (Medicaid and insurance records may include parent identifiers).
  4. File IRS Form 14039 in your child’s name if their Social Security number was exposed. This flags the SSN against fraudulent tax-return filings.
  5. Check your child’s Social Security earnings history annually starting at age 14 — unauthorized earnings reports are an early sign that the SSN is being used.
  6. Contact your state Medicaid office to flag the account for potential medical-identity-theft monitoring if Medicaid information was exposed.
  7. Preserve the notification letter. If a class action proceeds, the letter is your proof of standing. If your child encounters identity-theft issues at age 18+, the documentation supports disputes.
  8. Stop the ongoing flow of your child’s dental records. HealthConsent files HIPAA restriction requests so the pediatric dental data exposed in this breach is not continuously re-shared.

Sources

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.