TRAINING
ESSENTIALS TRAINING RANSOMWARE FREE COURSE FREE UPDATES MYLA SAFE LEADERSHIP
SERVICES
CONSULTATION RISK ASSESSMENT
RESOURCES
BLOG
CERTIFICATION
ACCOUNT
Admin Member
Book a call

What the DentaQuest Cybersecurity Incident Teaches Dental Practices About Vendor Risk, Patient Trust, and AI-Era Scams

Jun 05, 2026

 

When a dental benefits administrator experiences a cybersecurity incident, it is easy for an individual dental practice to think, “That happened somewhere else.”

But in dentistry, “somewhere else” can still land at your front desk.

DentaQuest, one of the largest dental benefits administrators in the United States, recently posted a security update stating that an unauthorized party accessed a limited portion of its network. The company said it took immediate action to secure its environment, contain the attack, and mitigate the threat. It also said its systems remained fully operational with limited disruption, and that it was working with cybersecurity experts, forensic investigators, and law enforcement. [1]

According to Becker’s Dental Review, DentaQuest was still working to determine the scope of the incident and the extent of any data that may have been compromised. Becker’s also reported that SC Media said the breach exposed data from more than 2.6 million DentaQuest accounts. [2]

BleepingComputer reported that the extortion group ShinyHunters claimed to have stolen more than 234 GB of data and later leaked it publicly. The same report said Have I Been Pwned analyzed the leaked dataset and found records for 2.6 million accounts, including email addresses, full names, phone numbers, government-issued IDs, health insurance information, genders, and dates of birth. [3]

The full facts may continue to develop. But the lesson for dental practices is already clear: cybersecurity is not just about what happens inside your own office. It is also about the vendors, benefit administrators, insurers, software providers, and third parties connected to your patient data.

 

Why this matters to dental practices

 

Most dental practices rely on outside organizations every day.

That includes dental benefits administrators, claims processors, imaging platforms, practice management software, payment processors, IT providers, cloud storage systems, patient communication tools, online forms, and increasingly, AI-enabled services.

These tools are part of modern dentistry. The problem is not using vendors.

The problem is not knowing:

  • which vendors handle patient information
  • what information they receive
  • how access is controlled
  • who is responsible for monitoring the relationship
  • what happens if that vendor has a cyber incident
  • how the practice will communicate with patients if questions arise

Patients may not understand the difference between a dental practice, an insurer, a claims administrator, a software vendor, and a benefits platform. They often know one thing: their dental information is involved, and they want someone they trust to explain what is happening.

That is why vendor risk is patient trust risk.

 

What appears to have happened

 

Based on currently available public information, DentaQuest confirmed unauthorized access to a limited portion of its network and said it was investigating the nature and extent of any data that may have been compromised. [1]

Outside reporting added more detail. Becker’s identified DentaQuest as an administrator of dental benefits and reported that more than 2.6 million accounts were affected, citing SC Media. [2]

BleepingComputer reported that ShinyHunters listed DentaQuest on its data leak site, claimed to have stolen more than 234 GB of data, and later leaked the data publicly. It also reported that Have I Been Pwned found 2.6 million account records in the leaked dataset. [3]

The information reportedly exposed included several types of data that can increase the risk of fraud and social engineering: names, email addresses, phone numbers, government-issued IDs, health insurance information, genders, and dates of birth. [3]

That combination matters. A criminal does not need a full dental chart to cause harm. A name, date of birth, phone number, insurance information, and email address can be enough to craft a convincing scam.

 

The real danger may come after the breach

 

A breach is not always the end of the risk. Often, it is the beginning of the next wave.

Once personal information is exposed, attackers can use it to make future scams more believable.

A patient might receive a fake email that appears to be from a dental plan. A practice might receive a message that appears to be from a benefits administrator. A staff member might receive a request that includes enough accurate detail to feel legitimate.

This is where many practices get caught.

The first attack may happen at a vendor. The second attack may target the people connected to that vendor: patients, employers, providers, or dental offices.

That is why a benefits administrator breach should prompt dental practices to review not only their technology, but also their communication habits and verification procedures.

Dental-specific security awarenss training and phishing training  goes a long way in preventing hackers getting in.

 

AI makes the follow-up scams harder to spot

 

Artificial intelligence is changing the quality of phishing and social engineering.

The U.K. National Cyber Security Centre has warned that AI is expected to increase the volume and impact of cyberattacks, including by making phishing and social engineering more convincing. [4]

That matters in dentistry because many scams depend on ordinary business workflows:

  • claims questions
  • benefit verification
  • payment requests
  • password resets
  • patient record requests
  • vendor support emails
  • software alerts
  • invoice changes
  • document-sharing links

In the past, many phishing emails were easier to spot because they had obvious spelling mistakes, strange wording, or awkward formatting.

Now, AI can help attackers write messages that sound polished, professional, and specific.

The suspicious email may not look ridiculous anymore. It may look like Tuesday. The good news is there's training for this. See "The New Standards for Cybersecurity Training in the Age of Artificial Intelligence." 

What dental practices should learn from this incident

 

The DentaQuest incident is not only a story about one organization. It is a reminder that dental practices need practical systems for managing cyber risk, vendor risk, privacy risk, and patient communication.

Here are the lessons worth taking back to the practice.

 

1. Know which vendors handle patient information

 

Every dental practice should maintain a simple vendor inventory.

This does not need to be complicated. Start with a spreadsheet.

List every outside company that may access, store, process, transmit, or support systems involving patient information.

Include:

  • dental benefits administrators
  • claims processors
  • practice management software
  • imaging systems
  • email platforms
  • cloud storage tools
  • payment processors
  • online forms
  • texting and reminder systems
  • IT providers
  • backup providers
  • AI tools
  • consultants or third-party support providers

For each vendor, identify what data they touch and why they need it.

You cannot manage what you have not mapped.

 

2. Assign responsibility before something happens

 

Cybersecurity confusion often starts with a simple problem: everyone assumes someone else is handling it.

Good management means assigning responsibility in advance.

A dental practice should know:

  • who manages each vendor relationship
  • who approves new software or AI tools
  • who contacts IT during an incident
  • who documents decisions
  • who communicates with patients
  • who contacts legal, insurance, privacy, or regulatory support if needed
  • who has authority to make decisions when facts are incomplete

During an incident, unclear roles waste time. Clear roles create calm.

 

3. Train the team for real dental workflows

 

Cybersecurity training should not feel like it was written for a bank, a hospital, or a software company.

Dental teams need training that reflects what they actually do.

That includes:

  • checking benefits
  • opening attachments
  • handling patient forms
  • processing payments
  • communicating with vendors
  • using practice management software
  • responding to patient questions
  • verifying identity
  • using AI tools appropriately
  • reporting suspicious messages

The U.S. Department of Health and Human Services describes workforce training and security awareness as part of administrative safeguards under the HIPAA Security Rule. [5]

Even outside HIPAA settings, the principle is sound: people cannot follow procedures they have never been taught.

 

4. Prepare patient communication before a crisis

 

If a vendor incident affects patients, dental practices may face questions even if they were not the breached organization.

Patients may ask:

  • Was my information involved?
  • What information was exposed?
  • Is my dental office affected?
  • Should I change anything?
  • Could someone use this information to scam me?
  • Who should I contact?

A practice does not need to speculate. In fact, it should not.

Good communication should be calm, factual, and limited to what is known. It should explain what the practice is doing to verify information and where patients can find official updates.

Avoid three common mistakes:

  • saying nothing because the incident happened elsewhere
  • overpromising before facts are confirmed
  • blaming staff, vendors, or patients

Good communication protects trust. Bad communication can make a difficult situation worse.

 

5. Watch for scam activity after public breach reports

 

When a breach becomes public, scammers may use the news as bait.

 

Dental practices should warn teams to be extra cautious with messages that claim to involve:

  • DentaQuest
  • dental benefits
  • insurance information
  • claims issues
  • refunds
  • account verification
  • password resets
  • identity confirmation
  • urgent document review
  • payment updates

A simple rule helps: verify through a trusted channel.

Do not rely on the phone number, link, or attachment inside the suspicious message. Use a known contact method from your records or the vendor’s official website.

 

6. Review access and authentication

 

Many cyber incidents involve stolen credentials, weak access controls, or accounts that have more access than they need.

Dental practices should review:

  • whether each team member has their own login
  • whether shared accounts are still being used
  • whether multifactor authentication is enabled
  • who has administrator access
  • whether former employees still have access
  • whether vendors have remote access
  • whether access is removed when no longer needed

NIST’s healthcare cybersecurity guidance for the HIPAA Security Rule discusses safeguards such as risk management, access control, audit controls, workforce training, and contingency planning. [6]

For dental practices, that translates into a practical question: who can get into what, and do they still need to?

 

7. Make AI part of the security conversation

 

AI is not separate from cybersecurity anymore.

Dental practices should have clear rules about:

  • which AI tools are approved
  • whether patient information can be entered into those tools
  • who reviews AI-generated content before it is used
  • how staff verify unusual requests
  • how the team identifies AI-enhanced phishing or impersonation attempts

The issue is not whether AI is good or bad. The issue is whether the practice is using it with judgment.

AI can help dental teams work more efficiently. It can also help attackers work more convincingly.

Both things can be true.

 

A practical framework: 

 

A simple way to think about this is the Myla SAFE Framework™:

See the Risk
Know what information you hold, where it lives, who can access it, and which vendors touch it.

Assign Responsibility
Name who owns vendor oversight, incident response, privacy decisions, patient communication, and AI tool approval.

Formalize Policies, Procedures, and Training
Turn expectations into documented processes and train the team using real dental examples.

Evolve and Evaluate
Review your systems, vendors, policies, and training regularly because the risks keep changing.

This is not about panic. It is about management.

 

The bigger lesson for dental leaders

 

The DentaQuest incident is a reminder that dental data does not stay neatly inside the four walls of a practice.

It moves through vendors, networks, claims systems, benefits platforms, communication tools, and cloud services.

That does not mean dental practices should stop using technology. It means technology needs leadership.

Good dental cybersecurity now includes:

  • vendor awareness
  • privacy training
  • security awareness training
  • AI governance
  • access control
  • incident response planning
  • patient communication
  • regular review

The practices that handle this best will not be the ones that never face risk. Every practice faces risk.

The practices that handle this best will be the ones that know what they have, know who is responsible, train their people, communicate clearly, and keep improving.

 

 Clear Communication Wins 

Cybersecurity is now part of patient trust.

Patients may never ask about your firewall, your vendor inventory, or your incident response plan.

But they will notice whether your practice communicates clearly, protects their information carefully, and responds professionally when something goes wrong.

The goal is not to scare dental teams.

The goal is to prepare them.

Learn More. Worry Less. Stay Safe.™

 

FAQs

 

What happened in the DentaQuest cybersecurity incident?

DentaQuest said an unauthorized party accessed a limited portion of its network and that it was working with cybersecurity experts, forensic investigators, and law enforcement. Outside reporting said data tied to more than 2.6 million accounts was exposed.

What information was reportedly exposed?

BleepingComputer reported that Have I Been Pwned found 2.6 million account records in the leaked dataset, including email addresses, full names, phone numbers, government-issued IDs, health insurance information, genders, and dates of birth.

Why should dental practices care if the attack happened to a benefits administrator?

Because dental practices rely on vendors and benefit administrators that may handle patient information. If a vendor incident affects patients, the dental practice may still receive questions and may need to understand what happened, what information was involved, and how to communicate responsibly.

How could exposed data be used after a breach?

Exposed personal and insurance-related information can be used to create more believable phishing emails, phone scams, fake benefit messages, identity verification scams, or vendor impersonation attempts.

What should dental practices do now?

Start with a vendor and data inventory. Identify which vendors handle patient information, assign responsibility for each relationship, review access controls, train the team, prepare patient communication templates, and review the plan regularly.

Learn more about how to formalize your processes by enrolling in The Myla SAFE Leaderhip(TM) Prodram today:https://www.mylatraining.com/myla-safe-leadership-program

 

Train Your Team to Spot AI Risks Today

Get Team Training

Featured Training for Dental Teams

Build your team’s cybersecurity, privacy, and AI safety foundation with practical training designed for every team member.

Explore Myla’s essential training bundle and foundational courses.

View Training

Recent Posts

What the DentaQuest Cybersecurity Incident Teaches Dental Practices About Vendor Risk, Patient Trust, and AI-Era Scams Jun 05, 2026
Dental AI Essentials: The Myla PAUSE Protocol™: A Practical Framework for Dental Teams May 16, 2026
Dental AI Essentials: AI Hallucinations in Dentistry: Why ChatGPT Can Be Wrong May 16, 2026

What Are Myla Certifications?

Myla certifications are structured, industry-specific credentials designed for dental professionals. They validate that your team has completed practical cybersecurity, privacy, and AI risk training built specifically for dental practices.

Learn More

NEW - AI Safety Essentials Course

AI is entering healthcare fast. Is your team ready?
This plain-language course helps healthcare teams understand AI privacy and cybersecurity risks, protect patient information, and meet compliance expectations. Includes 7 short modules, a reference guide, final assessment, and a certificate of completion.

Start AI Safety Training