Delta Dental data breach: millions of health records exposed — here’s how to protect your health info now

In 2023, Delta Dental of California, a group of insurance companies serving over 85 million people, experienced a cyberattack that exposed the sensitive health records of nearly 7 million individuals. 

By exploiting a vulnerability in the MOVEit file transfer software, hackers gained access to sensitive data that could be used for malicious activity long after the breach itself.

Read on to learn more about the Delta Dental data breach and how to protect yourself if you become subject to similar incidents.

What is the Delta Dental data breach? 

One of the most significant breaches in healthcare to date, the Delta Dental incident happened in 2023, when a vulnerability in the MOVEit file transfer system put at risk the personal and health information of nearly 7 million people.

You might come across mentions of other Delta Dental data breach incidents in 2022, 2024 (an alleged breach or possibly the continuing fallout from the MOVEit compromise affecting 802,000 individuals), and even in 2025. However, some of these reports remain unverified and there isn’t enough conclusive evidence to link them to the Delta Dental data breach 2023. 

For that reason, those incidents are not explored in depth here. Instead, the focus remains on the well-documented 2023 Delta Dental breach, its confirmed scope and consequences.

One thing is certain, though: even well-resourced organizations in the health industry are vulnerable to sophisticated cyberattacks. For consumers, it’s a sobering warning that their  health information is of tremendous value to cybercriminals. 

The good news is, understanding the impact of such incidents can help you improve your digital security.

What happened in the Delta Dental data breach 2023

The 2023 Delta Dental hack happened because of an SQL injection vulnerability in MOVEit, a popular secure data exchange platform used by more than 100,000 enterprises globally. Allegedly, this breach is associated with the Russian-linked Clop ransomware group.

The MOVEit file transfer vulnerability

The vulnerability, officially known as CVE-2023-34362, was a zero-day exploit, which means it was unknown to developers, users or anyone who could prevent it at the time it was happening. 

This way, the Clop group, said to be responsible for the unauthorized access, was able to penetrate the system from May 27 to May 30, 2023, gaining access to Delta Dental customers’ sensitive information with absolutely no resistance whatsoever.

Here’s how the breach unfolded.

Detailed timeline of the Delta Dental security breach

• May 27-30, 2023: The hacking group exploited the MOVEit vulnerability and accessed massive amounts of data without anyone noticing it.
• May 31, 2023: Ipswitch, Inc. (the developer of the MOVEit solution and a subsidiary of Progress Software) released an emergency patch to fix the vulnerability. 
• June 1, 2023: Delta Dental discovered the vulnerability and began investigations.
• July 6, 2023: The company confirmed exposure of sensitive data, and engaged forensic experts to identify the full scope of the breach.
• September 5, 2023: The breach was reported to the U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR).
• November 27, 2023: Delta Dental finalized the list of affected individuals and compromised data.
• December 14, 2023: Five months after the incident, Delta Dental began notifying the affected individuals about the breach and offering 24 months of complimentary credit monitoring and identity theft protection through Kroll’s monitoring services to reduce potential risks.

What data was exposed and who was affected by the Delta Dental hack

Personally identifiable information (PII) and protected health information (PHI)

The breach exposed two types of data:

• Personally identifiable information (PII): Data that can be used to distinguish an individual’s identity, more specifically names, Social Security Numbers (SSNs), driver’s license numbers (DL), Tax Identification Numbers (TIN), passport numbers, and financial information.
• Protected health information (PHI): Medical and health-related information associated with a specific individual, including insurance details, medical history, diagnoses, and treatment records.

Who was impacted

The breach affected members of Delta Dental of California plan as well as those of its affiliates. As of December 2023, the total number of impacted customers was 6,928,932 individuals across the United States. A quick example so you could picture the scope: the information of about 190,000 of the University of California’s employees, retirees, and dependents was stolen in the attack. In addition, it is said that the breach may have exposed more than 800,000 records of Coca-Cola, Etsy and PayPal employees. 

How the public reacted to the 2023 Delta Dental data breach

The frustration and apprehension of those affected by the breach could be best seen on forums like Reddit.

Many users expressed disbelief at how such a large corporation failed to protect their sensitive information. 

“I just got the same letter today. I also got another letter from my mortgage company. They also had a damn security breach. I’m tired of this. It keeps happening. I already have a credit freeze on all 3 credit reports. What concerns me with Delta Dental is now they have everyone’s health insurance information and SS,” said one Reddit user.

Delays in informing the victims added to the dismay and sparkled criticism over the company’s response procedures. 

Many parents were alarmed that their kids’ personal information was stolen as it left them exposed to identity theft and cybercrimes for years to come. 

What to do if your data was exposed in the Delta Dental data breach

TL;DR: Act fast. If your data has been compromised as a result of the Delta Dental security breach or a similar incident, follow our step-by-step instructions to protect your identity and finances. 

First things first

Here are some of the urgent safeguards: 

• Freeze your credit or set up alerts: Place a free credit freeze with Equifax, Experian, and TransUnion so no one can open new credit lines on your behalf. You can do this manually online or by phone. Alternatively, get any credit bureau’s assistance setting up fraud alerts for your credit accounts, which implies additional verification for a new credit.
• Change passwords and enable MFA: Update any passwords to your financial or health-related accounts. Also, activate multi-factor authentication (MFA) to strengthen protection.

But don’t just stop there; see if you can take some of the longer-term measures below to stay alert at all times. 

Monitor your identity and financial activity

• Use Kroll or alternative monitoring services: Delta Dental is offering 24 months of free identity monitoring through Kroll, credit monitoring software. Please note that you can only activate this offering within 90 days of receiving a notification letter from the company. You might also want to check other monitoring services if Kroll doesn’t seem to be enough.
• Set up alerts for your bank accounts and do regular monitoring yourself: Ask your bank reps to activate the online monitoring feature and set up alerts on your accounts. But even if you have set up alerts, don’t skip manual review of your reports for unfamiliar transactions.
• Look for suspicious emails: Don’t engage or respond to anyone trying to blackmail or elicit information from you via email. Forward these communications to your local information security office or ignore them.
• Minimize your digital footprint: use tools like Onerep to remove your private information from over 210 data broker websites. When left readily available on the public web, your personal information can be combined with the details exposed by a health data breach and exploited for synthetic identity theft, medical identity theft  and more.  

Legal action and your rights as a breach victim

Here’s what you need to know about the legal protections you have in case your data was exposed.

Class action lawsuits against Delta Dental

A class action lawsuit was filed against Delta Dental in 2023, with the key allegations being:

• failure to ensure sufficient security measures,
• delayed notification that left individuals exposed for months (Delta Dental waited more than five months to notify the public that they were at risk),
• exposure of victims to the risk of identity and medical fraud.

The case is open, and no legal conclusions have been reached so far. 

Note on delayed notification: It took Delta Dental so long to notify the public because of the detailed forensic investigation to determine the breach’s scope and those affected, which is permissible under the law when the investigation is ongoing.

What legal protections you have after a health data breach

Federal and state laws offer certain rights and protections:

• HIPAA breach notification requirement: Delta Dental, like any other HIPAA covered entity or their business associates, was required to notify affected individuals within 60 days of discovering the breach. Delays to do so can be seen as non-compliance.
• State consumer protection laws: If you live in California, you have the right to know, access, delete, and prevent your data from being sold according to the California Consumer Privacy Act (CCPA). Other states, such as Colorado and Virginia, have similar regulations.

How to file a complaint or join a lawsuit

If you’ve been affected, here’s what you can do:

• Document harm: Keep records of any fraudulent activities.
• Consult legal professionals: Talk to a lawyer specializing in data breaches.
• Join an existing class action: Console & Associates and ClassAction.org are gathering plaintiffs for ongoing litigation. In most cases, there is nothing you need to do to join a class action lawsuit, but you might still want to have proof on hand should the case settle.  

FAQs

What happened in the Delta Dental data breach 2023?

In 2023, Delta Dental of California experienced a tremendous data breach associated with the larger MOVEit file transfer vulnerability (also known as CVE-2023-34362). It exposed the personal (PII) and health information (PHI) of nearly 7 million people (6,928,932 individuals, all customers of Delta Dental, to be precise). 

How do I know if my data was compromised?

If you are a Delta Dental of California customer, chances are, your information has been stolen. In December 2023, Delta Dental sent notification letters to those affected. If you haven’t heard from the company, we urge you to contact Delta Dental’s support to see if your data is at risk.

What should I do after having received a Delta Dental security breach notification?

Here’s what you should do to protect your sensitive data:

1. Freeze your credit file and create alerts for bank accounts.
2. Change passwords and set up Multi-Factor Authentication (MFA).
3. Take advantage of the free credit monitoring and identity theft protection offered by Delta Dental through Kroll.
4. Remove your private information available online with the help of services like Onerep.
5. Regularly monitor your accounts for suspicious activity.

Is this breach connected to the MOVEit attack?

Yes, the 2023 Delta Dental hack is related to the broader MOVEit file transfer vulnerability (CVE-2023-34362). 

Can I sue Delta Dental or join a class action lawsuit?

Yes, a class action lawsuit was filed against Delta Dental in 2023. No specific action is needed on your end, but you may want to document any fraudulent activity to be eligible to join it.