Credit: Funtap/Adobe Stock
A big dental insurance company is coping with a data breach that may have exposed the personal information of 2.6 million people.
DentaQuest, a Wellesley Hills, Massachusetts-based subsidiary of Sun Life Financial, has warned customers and other associates about the breach in a notice posted recently on its website.
"DentaQuest is actively managing a cybersecurity incident involving unauthorized access to a limited portion of our network," the company says in the notice. "Upon discovery of the initial incident, we took immediate action to secure our environment, contain the attack and mitigate the threat. Our systems remain fully operational, and we continue to serve our clients with limited disruption."
ShinyHunters, a cyberattack organization, posted a 234-gigabyte file related to the incident in May. The organization said that the file contained customer records obtained from DentaQuest, that it tried to persuade DentaQuest to make a ransom payment, and that DentaQuest had declined to make a ransom payment.
Have I Been Pwned — a data breach tracking service that's used as a source of breach data by some cybersecurity issuers and the managers of the Firefox web browser — says the ShinHunters file contains 2.6 million email addresses, "along with names, addresses and phone numbers."
Law firms have filed at least six suits on behalf of people affected by the breach in the U.S. District Court for the District of Massachusetts.
Two plaintiffs, Caridad Hilaire and Tawana McCants, suggest in one of the complaints that they fear the data exposed "may have included victims' names, Social Security numbers, dates of birth, and medical information."
The plaintiffs in all of the suits are seeking to represent a class consisting of all U.S. residents affected by the breach, excluding some people affiliated with DentaQuest, the judge who hears the case, and the staff and relatives of the judge.
Representatives for DentaQuest could not immediately be reached for comment.
The backdrop: The DentaQuest breach is just the latest big breach affecting health care, health insurance and health benefits organizations.
Earlier this year, for example, TriZetto Provider Solutions, a Cognizant subsidiary that provides technology services for health care providers, reported that a breach discovered in late 2025 may have affected the records of 3.4 million of the providers' patients.
U.S. District Judge Allison Burroughs is still presiding over a large group of lawsuits related to a 2023 breach, involving infiltration of a popular file transfer system, through a "multidistrict litigation" process taking place in the same court where the DentaQuest suits have been filed.
I Have Been Pwned says it has compiled records for 17.6 million hacked accounts on 1 million hacked websites.
ShinyHunters: The ShinyHunters cyberattack group is believed to have organized many other large insurance and benefits breaches in recent years, including a breach involving Canada Life that may have involved people with 200,000 separate email addresses and a breach of Kemper Corp. that may have affected people with 269,000 separate email addresses.
ShinyHunters also appears to be a hack that shut down many U.S. colleges learning management systems' in May and disrupted many students' final exams.
A bulletin posted by California cybersecurity officials calls for computer system defenders to watch for new account multi-factor authentication devices named "Passkey" or "Phone," big spikes in traffic going to Salesforce bulk export destinations, and long user authentication flows that involve "multiple failures followed by a sudden, successful device enrollment."
© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.