On May 13, 2025, Upper Dublin Family Dentistry in Pennsylvania suffered a serious cybersecurity incident.
Unauthorized attackers broke into its computer systems, implanted ransomware and encrypted sensitive files. Although the incident was confirmed to be a ransomware attack, the clinic did not pay any ransom to the attackers.
According to documents submitted to the U.S. Department of Health and Human Services, the data breach affected approximately 5,000 U.S. individuals. To gain a deeper understanding of the cause and scope of the incident, the clinic hired a leading cybersecurity and digital forensics company to assist in the investigation.
The investigation showed that the attacker may have accessed or viewed some files containing personally identifiable information (PII) and protected health information (PHI) in the system.
The types of data affected include patients’ names, social security numbers, dates of birth, addresses, phone numbers, insurance claims information, and dental medical records that may contain treatment dates and summaries.
On July 22, 2025, Upper Dublin Family Dentistry formally notified the Massachusetts and Vermont Attorney General offices of the incident, which was detailed in an official data breach notification.
Following the incident, the clinic quickly responded to contain the intrusion, restore system functionality, and harden its network infrastructure. The clinic also implemented a series of new cybersecurity measures to improve future defenses.
As a remedy for affected patients, Upper Dublin Family Dentistry has teamed up with Cyberscout, a subsidiary of TransUnion, to provide 12 months of free credit monitoring services, including single-agency credit reports, credit scores, and change notification services. Users must sign up within 90 days of receiving the notification to ensure full service protection.
In addition, the clinic recommends that those affected:
Keep a close eye on bank accounts and credit reports for suspicious activity;
Add a fraud alert or apply for a security freeze on your credit report if necessary;
If you suspect identity theft, report it to the police, state attorney general, or the Federal Trade Commission immediately.
Detailed consumer notifications and credit agency contact information can be found on the clinic’s website and downloaded in PDF format.
This incident reminds the public that medical information security still faces real threats and that institutions urgently need to strengthen network defenses to protect patient privacy.
