Kathryn Rattigan of Robinson + Cole writes:
Pennsylvania-based Chord Specialty Dental Partners is under fire after a September 2024 data breach compromised the personal information of over 173,000 individuals. At least seven proposed class action lawsuits have been filed in federal courts in Tennessee and Pennsylvania, alleging the company failed to secure and protect patient data properly.
The lawsuits claim Chord Dental violated its obligations under state and federal laws, including the Federal Trade Commission (FTC) Act and the Health Insurance Portability and Accountability Act (HIPAA). Plaintiffs argue that the company did not implement reasonable cybersecurity measures or provide timely and sufficient notice of the breach.
Exposed data included names, addresses, Social Security numbers, driver’s license numbers, bank and payment card information, dates of birth, and medical and insurance records.
Read more at Robinson + Cole.
Chord is a multi-specialty Dental Support Organization (DSO) based in Tennessee. As a HIPAA business associate, it provides preventive services, diagnostic imaging, and a range of restorative dental care for affiliated pediatric practices, orthodontic locations, and ambulatory surgery centers at more than 60 locations across six states. Its partner practices include Spark Orthodontics, Children’s Dental Health, Pediatric Dental Associates, Dentistry for Children, Children’s Dental Surgery, and Cumberland Pediatric Dentistry & Orthodontics. Headquartered in Nashville, Tennessee.
On March 14, 2025, Chord posted a notice on its website that explains the breach this way:
On or around September 11, 2024, CDHA Management, LLC and Spark DSO, LLC dba Chord Specialty Dental Partners (“Chord”) discovered suspicious activity related to an employee’s email account. Upon discovery, we took immediate action to secure the account and engaged a team of third-party specialists to assist with determining the full nature and scope of the incident. The investigation determined that an unauthorized individual had gained access to several accounts for a limited time between August 19, 2024, to September 25, 2024. Therefore, we conducted a comprehensive review of the information potentially affected. The type of information varies by individual and may include name and one or more of the following: address, Social Security number, driver’s license, bank account information, payment card information, date of birth, medical information, and health insurance information.
At this time, Chord is not aware of any evidence to suggest that any information has been or will be fraudulently misused. However, we were unable to rule out the possibility that the information could have been accessed. Therefore, in an abundance of caution, we are notifying potentially impacted individuals of this incident.
On March 14, Chord also notified HHS that 173,430 patients had been affected by the incident.
A check of sites that search the dark web leak sites of ransomware and extortion groups did not uncover any data or listing from this incident as of publication today.
From Ms Rattigan’s description of the complaint, plaintiffs have not alleged any concrete harm such as fraud or identity theft, but make claims based on time spent addressing breach, out-of-pocket costs, distress, increased risk of harm, etc.
On May 22, all related cases were order consolidated under Figueroa v. CDHA Management, LLC, 2:25-cv-02186, (E.D. Pa.).