DentaQuest

In May 2026, DentaQuest suffered a data breach that exposed the personal and health information of roughly 2.6 million people. The exposed data included names, dates of birth, genders, email addresses, phone numbers, physical addresses, government-issued IDs and health insurance information. Much of it came from healthcare enrollment files, with some records containing Medicaid IDs, so this is protected health information, not just contact details.

DentaQuest administers dental and vision benefits for tens of millions of Americans, largely through state Medicaid and CHIP programs, as a subsidiary of Sun Life. That makes the exposed population unusually sensitive: many of those affected are public-healthcare enrollees whose insurance and government identifiers are now circulating publicly.

DentaQuest has publicly acknowledged "a cybersecurity incident involving unauthorized access to a limited portion of our network" and said it has contained the attack and mitigated the threat.

The data was stolen and listed for extortion around May 23, 2026, and DentaQuest publicly confirmed the incident on June 2, 2026. The breach was the result of a "pay or leak" campaign by the ShinyHunters group: after the company did not pay, the group published hundreds of gigabytes of data it said it had taken from DentaQuest.

With government-issued IDs, dates of birth and health-insurance and Medicaid details in this leak, the most serious risk is medical identity theft: someone using your insurance or Medicaid ID to obtain treatment, prescriptions or equipment billed in your name. Watch your explanation-of-benefits statements and any Medicaid notices for care you never received, bills or debt collection for treatment you don't recognise, or a message that you've "reached a benefit limit" you never used. Expect scam calls, texts and emails that quote your real name, date of birth or member ID to sound official, for example "we need to verify your DentaQuest account" or "confirm your details to keep your dental coverage active." Treat any unexpected message about your coverage as suspicious: don't click links, don't call the number they give you, and don't confirm personal details. If you need to check something, contact DentaQuest or your state Medicaid office using a number you look up yourself.

Because government-issued IDs and dates of birth were exposed, place a free fraud alert or, better, a credit freeze with the three major credit bureaus (Equifax, Experian and TransUnion) so the data can't be used to open accounts in your name. Review your medical and insurance statements regularly and report anything you don't recognise to your insurer or provider straight away; you can also request a copy of your records to check for treatment logged under your name that isn't yours.

No passwords were included in this leak, so there is nothing to reset on your DentaQuest account itself. But if the email address exposed here is one you reuse with the same password elsewhere, change that password on those other sites, as leaked email addresses are routinely fed into automated login-guessing attacks.