Absolute Dental agrees to $3.3 million lawsuit settlement

Both the Nevada-based dental practice and Judge Consulting, a technology and staffing firm, faced a class action suit following a 2025 data breach.

What happened

Recently, Absolute Dental and Judge Consulting agreed to settle a lawsuit, Jordan et al. v. Absolute Dental Group, LLC, et al., alleging that following a data breach in 2025, both organizations failed to adequately secure patient data, failed to properly monitor their systems for instructions, and failed to notify the victims of the breach in a timely manner.

The plaintiffs and defendants agreed to a settlement of $3.3 million, which will go towards legal fees, service awards for the representatives, and benefits for the class action members.

The final approval hearing is scheduled for July 30th, 2026.

The backstory

The lawsuit followed a data breach that was first detected on February 26th, 2025. Through an investigation, it was determined that Absolute Dental’s network had been accessed by an unauthorized party between February 19th, 2025, and March 5th, 2025. According to the original breach notice, the incident “originated from the inadvertent execution of a malicious version of a legitimate software tool,” which occurred through an account associated with Judge Consulting.

Accessed information included names, contact information, Social Security numbers, driver’s license numbers, health information, health insurance information, financial information, and additional sensitive data. The incident impacted approximately 1,22,635 individuals. No hacking organization publicly took credit for the incident.

The big picture

The breach constitutes a type of supply chain attack, where a third-party (Judge Consulting) was used to access records from Absolute Dental. Data breaches at third-parties are becoming fairly commonplace, although it’s not as common for those organizations to be hit with lawsuits. Generally, the healthcare organization is the one who faces responsibility for the breach, as they were the one trusted with the data initially. Many practices outsource administrative tasks, like billing and training. Outsourcing any tasks related to protected health information (PHI) requires third parties to sign Business Associate Agreements (BAA), outlining the third-party’s role and responsibility in protecting the data.

As the severity and breaches increase, with larger victim counts, so do the consequences. The average data breach in 2025 cost companies $11 million. Many lawsuits fall into the multi-million range, like Chattanooga Heart Institute which will be paying $3.75 million and Anne Arundel Dermatology, which will be paying a $2.4 million settlement. Even if there is no lawsuit, there can be other financial penalties, like how OrthopedicNY faced a $1.95 million penalty from the Office of Civil Rights (OCR) for failure to adequately prevent ransomware attacks. All three of these settlements and the penalty took place in April alone.

FAQs

What was Judge Consulting’s role during the incident?

Judge Consulting is a managed services provider (MSP), providing administrative and technical assistance to Absolute Dental. It seems the breach took place against this company, but ultimately impacted Absolute Dental’s patients, which is why both companies were implicated in the attack.

Can Absolute Dental or Judge Consulting face any other repercussions?

It’s unlikely that they will face any additional lawsuits or penalties from the incident, as those would already be in process. However, both companies are likely still reeling from the event and financial repercussions, which may impact operational decisions and patient trust.