Active breach tracker North Las Vegas, Nevada Disclosed September 18, 2025

Sun Valley Surgery Center Data Breach 2025: 27,001 Pediatric Dental Patients Exposed in Network Intrusion · NV

Sun Valley Surgery Center, the North Las Vegas pediatric dental surgery facility, identified anomalous activity in its information systems on September 3, 2025 and filed a HIPAA breach notification with the HHS Office for Civil Rights on September 18, 2025. A forensic investigation confirmed an unauthorized third party accessed parts of the network where 27,001 individuals' Social Security numbers, government IDs, and medical information were stored. Plaintiff firms have opened class-action investigations.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Sep 3, 2025

Anomalous activity identified within Sun Valley Surgery Center's information systems; third-party forensics engaged

Sep 18, 2025

HIPAA breach notification filed with HHS Office for Civil Rights reporting 27,001 affected individuals

Nov 13, 2025

Public reporting and individual notification mailings widely disseminated; plaintiff firms open investigations

Nov 17, 2025

Strauss Borrelli PLLC announces class-action investigation

Nov 18, 2025

Edelson Lechtzin LLP announces class-action investigation

Data exposed

01

High-risk identity

Enables financial + identity theft

Social Security numbers Driver's license or state-issued ID information Passport or other government ID information

02

Health records

Don't expire and can't be reissued

Medical record numbers (MRN) and patient ID numbers Health history, diagnosis, and treatment information

03

Contact & insurance

Phishing + targeted scams

Names Contact information Dates of birth Explanation of benefits Health insurance information
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Sun Valley Surgery Center, a North Las Vegas ambulatory surgery facility that specializes in pediatric dental rehabilitation and surgical care for patients with special needs under general anesthesia, identified anomalous activity within its information systems on September 3, 2025. A forensic investigation engaged in the wake of that detection confirmed that an unauthorized third party accessed parts of the network where sensitive patient information was stored. The center filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on September 18, 2025, reporting 27,001 affected individuals in a Hacking/IT Incident event at a Network Server. No ransomware group has publicly claimed responsibility in the sources reviewed, and the breach is characterized in disclosures as unauthorized network access rather than encryption-and-extortion ransomware.

Timeline

  • September 3, 2025 — Anomalous activity is identified within Sun Valley Surgery Center’s information systems. Third-party cybersecurity experts are engaged to investigate, law enforcement is notified, and the network is secured.
  • September 18, 2025 — HIPAA breach notification is filed with the HHS Office for Civil Rights, reporting 27,001 affected individuals; the breach is categorized as a Hacking/IT Incident at Network Server.
  • November 2025 — Individual notification letters are distributed; the breach receives broader public reporting through HIPAA Journal, Becker’s ASC Review, and ClassAction.org.
  • November 17, 2025 — Strauss Borrelli PLLC announces a class-action investigation.
  • November 18, 2025 — Edelson Lechtzin LLP announces a parallel class-action investigation.

What was exposed

The forensic investigation confirmed that the data elements potentially compromised include, depending on the individual:

  • Name and contact information
  • Date of birth
  • Social Security number
  • Driver’s license or state-issued ID information
  • Passport or other governmental ID information
  • Medical record number or patient ID number
  • Health history, diagnosis, and treatment information
  • Explanation of benefits
  • Health insurance information

Because Sun Valley Surgery Center’s patient population is predominantly pediatric, a substantial portion of the exposed Social Security numbers belong to minors. Pediatric SSN exposure carries a long tail of risk: identity thieves often use a child’s SSN for years before the family discovers it, because credit files for minors are rarely monitored.

What the entity is offering

Public disclosures and reporting note that Sun Valley Surgery Center engaged external cybersecurity experts, notified law enforcement, implemented additional safeguards and technical security measures, and is issuing required state and federal disclosures. Credit monitoring and identity-theft protection services are referenced in the notification submitted to the Maine Attorney General as being offered to certain affected individuals, though the specific provider, duration, and enrollment window are described in each individual notification letter rather than the public substitute notice.

Class-action and regulatory posture

The HHS OCR portal entry remains open. As of this writing, no class-action complaint has been filed and served on the public docket in the sources reviewed. Multiple plaintiff firms have publicly opened investigations and are soliciting potential class members, including Strauss Borrelli PLLC (announced November 17, 2025), Edelson Lechtzin LLP (announced November 18, 2025), and attorneys working with ClassAction.org. Given the population (a pediatric dental practice) and the categories of data exposed (Social Security numbers, government IDs, and medical information for minors), a complaint is likely once enough named plaintiffs are recruited.

What to do if you may be affected

  • Freeze your credit and your child’s credit. All three nationwide bureaus (Equifax, Experian, TransUnion) accept freezes on minors’ credit files; instructions are on each bureau’s site. Because most of the affected individuals are children, this is the single most important step. A freeze is free, reversible, and far more protective than monitoring.
  • Watch for the individual notification letter mailed to the address on file. The letter lists the specific data elements exposed for you or your child and the credit-monitoring enrollment instructions. Read it carefully and save it; you may need it to file a class-action claim later.
  • Enroll in any complimentary credit monitoring offered. Enrollment codes are typically single-use and have a hard deadline.
  • Be alert to targeted phishing. Threat actors with a child’s name, date of birth, parent contact information, and pediatric dental-treatment context can craft highly convincing follow-on lures aimed at parents. Treat unexpected calls, emails, or texts referencing Sun Valley Surgery Center, the breach, or your child’s care with skepticism.
  • Review Explanations of Benefits. Because health insurance and treatment data were exposed, any EOB showing services your child did not receive is a sign of medical identity theft and should be reported to your insurer immediately.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.