DentaQuest Data Breach Lawsuit: 2.6M Accounts Exposed
Data Breach · Lawsuit Filed

DentaQuest Data Breach Class Action Filed After ShinyHunters Leak of 2.6 Million Accounts

Published July 8, 2026

Millions of DentaQuest dental-benefits members may be in the leaked data — but with no settlement and no certified class, there is nothing to file yet.

DentaQuest data breach class action lawsuit over the ShinyHunters leak
DentaQuest, a Sun Life dental-benefits administrator, now faces federal class action litigation over the breach tied to the ShinyHunters leak.
Allegations Only · No Settlement Yet

This article describes a class action complaint and a threat actor's public claims. The statements below are unproven allegations. DentaQuest has not been found liable, there is no certified class, and nothing to claim at this time. This page is informational and is not legal advice.

What Is This About?

The DentaQuest data breach has moved from investigation to litigation. A federal class action complaint, Hufnus v. DentaQuest Group Inc, No. 1:26-cv-12851, was filed in the U.S. District Court for the District of Massachusetts on June 23, 2026, and additional complaints have reportedly been filed over the same incident. The suits follow the ShinyHunters extortion group's leak of a dataset tied to DentaQuest — one of the largest dental-benefits administrators in the United States and part of Sun Life — which the breach-notification service Have I Been Pwned verified as containing roughly 2.6 million unique email addresses.

When we first covered this incident in June as an attorney investigation, no complaint was on file. That has now changed — but the litigation is still at its earliest stage. The complaint's claims are unproven allegations, no class has been certified, DentaQuest has not been found liable, and there is no settlement, no claim form, and nothing to claim.

Status Complaint Filed Hufnus v. DentaQuest Group Inc · D. Mass. · filed June 23, 2026
Scale ~2.6M accounts in the leaked dataset Verified by Have I Been Pwned · DentaQuest has not confirmed an affected-person count
Reportedly Involved Names, contact info, DOB, gov't IDs, health-insurance & Medicaid IDs From analysis of the leaked dataset · SSNs alleged in litigation, not verified in the leak
Can I Claim? No — nothing to claim yet No settlement, no fund, no claim form

The Breach Behind the Lawsuit

Around May 22–23, 2026, the ShinyHunters extortion group listed DentaQuest on its dark-web leak site and demanded a ransom, threatening to publish the data by May 27. After negotiations reportedly broke down, the group published what it claimed was roughly 234 GB of DentaQuest data around May 30 — the volume figure is the attacker's claim, not a company-confirmed number.

On June 2, 2026, DentaQuest confirmed a cybersecurity incident involving unauthorized access to a limited portion of its network, saying it moved quickly to contain the intrusion and that its systems remained operational. The company has not published an affected-person count. The next day, Have I Been Pwned added the breach to its database after verifying about 2.6 million unique email addresses in the leaked dataset, alongside names, phone numbers, physical addresses, dates of birth, gender, government-issued ID numbers, and health-insurance information, with Medicaid IDs in some records.

As of this writing, individual notification letters had not yet gone out — under HIPAA, covered entities generally have 60 days from discovery to notify affected individuals, a window that runs into late July 2026.

What the Lawsuit Alleges

The Hufnus complaint is a proposed data-breach class action alleging that DentaQuest failed to adequately safeguard the personal and health information entrusted to it. Reporting on the DentaQuest complaints describes negligence-based claims — including allegations that the company lacked reasonable security measures — and requests for damages along with injunctive relief requiring security improvements. Those are allegations from the plaintiffs' side of the docket; DentaQuest has not yet responded to the complaint on the merits, and none of the claims has been tested in court.

Because DentaQuest administers dental benefits heavily through government programs such as Medicaid, CHIP, and Medicare Advantage, the incident involves protected health information — which is also why a breach of this size would eventually have to appear on the U.S. Department of Health and Human Services breach portal once formally reported.

Is There a Settlement?

No. A filed complaint is the beginning of a case, not the end. There is no settlement fund, no claim form, no payout, and no deadline, and no class has been certified. If the litigation later settles, a court-appointed administrator would send notices and open a claims process — we will update this page and our data breach settlements hub if that happens. Be cautious of any website claiming you can "file a DentaQuest claim" today.

What Should DentaQuest Members Do Now?

Watch for an official notification letter from DentaQuest, and treat unexpected emails, texts, or calls referencing your dental coverage with suspicion — phishing routinely follows large breaches. Monitor your insurance statements and financial accounts for unfamiliar activity, and consider a fraud alert or credit freeze with the major credit bureaus. Keep any notice you receive; if a settlement or claims process is created later, the notice is typically how class members file. For similar health-data cases, see the Change Healthcare data breach and the Esse Health data breach settlement.

This page is informational and is not legal advice.

Frequently Asked Questions

Has a class action lawsuit been filed over the DentaQuest data breach?

Yes — Hufnus v. DentaQuest Group Inc, No. 1:26-cv-12851 (D. Mass.), filed June 23, 2026, with additional complaints reportedly filed. All claims are unproven allegations; no class is certified.

Is there a DentaQuest data breach settlement?

No. There is no settlement, fund, claim form, or deadline. Nothing to claim at this stage.

How many people were affected?

DentaQuest has not confirmed a count. Have I Been Pwned verified about 2.6 million unique email addresses in the leaked dataset; the attackers' 234 GB figure is their own unverified claim.

Were Social Security numbers exposed?

SSN exposure has been alleged in litigation, but SSNs were not among the data classes verified in the leaked dataset. Treat that question as unresolved until DentaQuest's formal notices spell out what was involved.

Sources

Justia Dockets — Hufnus v. DentaQuest Group Inc, 1:26-cv-12851 (D. Mass.)
Have I Been Pwned — DentaQuest breach entry (~2.6M accounts)
BleepingComputer — "DentaQuest data breach exposed info of 2.6 million accounts"
BankInfoSecurity — "ShinyHunters Leaks 234GB DentaQuest Data Trove"
Security Affairs — ShinyHunters publish DentaQuest data
HIPAA Journal — DentaQuest data breach coverage


For more class actions keep scrolling below.
Status Complaint filed — no class certified, no settlement
Case Title Hufnus v. DentaQuest Group Inc
Case Number 1:26-cv-12851
Court U.S. District Court, District of Massachusetts
Date Filed June 23, 2026

More Health & Data Breach Cases