ShinyHunters leaks DentaQuest data after ransom negotiations fail

One of the largest Medicaid dental benefit administrators in the US has had 2.6 million member records published publicly after the ShinyHunters extortion group listed the company and released data when no agreement was reached.

What happened

DentaQuest, a dental benefits administrator that manages Medicaid and Medicare Advantage dental programs across all 50 states and serves approximately 35 million customers, has confirmed unauthorized access to a portion of its network following a data breach claimed by ShinyHunters. According to BleepingComputer, the group listed DentaQuest in late May 2026 and released more than 234 gigabytes of data after the company reportedly failed to reach an agreement with the group. The stolen data was subsequently added to the breach notification service Have I Been Pwned on June 3, 2026, confirming 2,553,599 unique email addresses in the dataset. Exposed information includes names, dates of birth, physical addresses, phone numbers, government-issued IDs, health insurance information, and gender. Healthcare enrollment files in the dataset were formatted as ASC X12 transaction sets, a structured format used in healthcare data exchange, with some records containing Medicaid IDs.

Going deeper

DentaQuest is a subsidiary of Sun Life Financial and one of the largest dental benefit administrators in the United States, operating Medicaid dental programs in partnership with state governments. Its client base includes Medicaid beneficiaries, Medicare Advantage enrollees, employer groups, and health plans. The presence of Medicaid IDs and government-issued identification in the leaked dataset adds a dimension beyond standard commercial data breaches. Medicaid beneficiaries are often lower-income individuals who may have limited ability to monitor or respond to identity theft, and whose identifying information, combined with government program enrollment data, creates a detailed profile for targeted fraud. DentaQuest acknowledged in its official security notice that it had contained the attack and was working with cybersecurity experts, forensic investigators, and law enforcement, but provided no operational details about how initial access was obtained or which specific systems were affected.

What was said

In its security update, DentaQuest stated it had identified "a cybersecurity incident involving unauthorized access to a limited portion" of its network, that it had "contained the attack and mitigated the threat," and that it was working with a leading cybersecurity firm, forensic investigators, and law enforcement. The company did not confirm the volume of data stolen, the identity of the attacker, or the total number of individuals affected.

In the know

The DentaQuest breach is the latest in a sustained ShinyHunters campaign that has targeted healthcare-adjacent organizations alongside consumer brands throughout 2026. According to BleepingComputer, ShinyHunters breached ADT in April 2026 through a vishing attack that compromised an employee's Okta, an identity management platform that controls employee access to multiple business applications through a single login, then used that access to download data from Salesforce. The group has also claimed breaches at Charter, 7-Eleven, Ameriprise Financial, and Vimeo in May alone. Medtronic remains absent from the group's leak site despite an earlier claim of 9 million records, suggesting ongoing negotiations or payment. The DentaQuest release follows the same pattern documented in the group's April mass leak: list the victim, set a deadline, publish the data when negotiations fail, and keep it online indefinitely.

The big picture

DentaQuest administers Medicaid dental benefits for state programs, meaning the 2.6 million individuals whose data was exposed are largely Medicaid-enrolled patients, a population that did not choose DentaQuest as a vendor and had no visibility into its security posture. For state Medicaid agencies and the health plans that contract with DentaQuest, the breach creates their own independent HIPAA breach notification obligations, so each covered entity must assess whether to notify affected members directly, report to HHS, and, in some cases, notify state regulators, even if DentaQuest is handling notifications on their behalf. According to Paubox's Top 3 Healthcare Email Attacks report, vendor and business associate exposure accounted for 28% of all email-related healthcare breaches in 2025. The DentaQuest breach extends that pattern to a government program administrator whose clients are state Medicaid agencies rather than individual covered entities.

FAQs

What is ASC X12 data, and why does its exposure matter?

ASC X12 is a standardized format used to exchange healthcare administrative data, including enrollment, eligibility, claims, and remittance information, between health plans, providers, and government programs. Files formatted in this standard contain structured demographic and coverage data that can be used to reconstruct an individual's Medicaid enrollment status, coverage details, and identifying information in a usable form without additional processing.

Why are Medicaid beneficiaries particularly vulnerable when their data is exposed?

Medicaid beneficiaries are often lower-income individuals who may have limited access to credit monitoring services, less familiarity with identity theft response processes, and fewer financial resources to address fraud if it occurs. Their Medicaid ID, combined with demographic data, also enables healthcare identity fraud, where stolen credentials are used to obtain medical services or equipment billed to the government program.

What obligation do state Medicaid agencies have when a program administrator breaches?

State Medicaid agencies that contract with DentaQuest are covered entities or business associates under HIPAA, depending on the program structure, and hold notification obligations to affected beneficiaries when PHI is compromised by a business associate. Agencies should confirm with DentaQuest what notifications have been or will be issued and whether HHS has been notified with accurate figures.

How does ShinyHunters' data publication model differ from traditional ransomware?

ShinyHunters does not encrypt systems. Its advantage comes entirely from data exfiltration and the threat of publication. Once data is published, it is available indefinitely for download by any other actor, meaning the harm from non-payment continues beyond the initial release. The group has stated it keeps published data online permanently, which removes any incentive to pay after the release deadline passes.

What should DentaQuest's covered entity clients do now?

Health plans and state Medicaid agencies that contracted with DentaQuest should confirm whether their member data was included in the breach, verify what notification obligations they hold independently of DentaQuest's own notifications, and assess whether their business associate agreements provide adequate remedies and oversight mechanisms for incidents of this scale.