Sonrisas Dental Health Ransomware Attack Affects 15,644 Patients

On March 4, 2025, Sonrisas Dental Health, located in San Mateo County, California, discovered unusual activity in its digital environment. After securing its systems and engaging independent cybersecurity specialists, Sonrisas determined on March 14, 2025, that an unauthorized actor had potentially acquired certain files and data.

The incident has since been classified as a ransomware attack, with the BianLian group claiming responsibility and posting about the breach on the Tor network.

According to the official disclosure, a total of 15,644 individuals in the United States were affected by this breach. The compromised information varies by individual and may include personally identifiable information (PII) such as name, driver’s license number, Social Security number, and date of birth. In addition, protected health information (PHI) such as dental images was also exposed.

The BianLian group posted on the dark web claiming to have obtained financial records, HR information, patients’ PII and PHI, private data of partners, vendors, and providers, as well as internal and external email correspondence and database exports.

The breach was officially reported to the U.S. Department of Health and Human Services on May 2, 2025. You can view the official breach disclosure on the HHS website and Sonrisas Dental Health’s public notice.

Sonrisas Dental Health’s response

In response to the ransomware attack, Sonrisas Dental Health secured its digital environment and initiated a thorough investigation with the help of cybersecurity experts. The organization has since implemented additional security measures to help prevent similar incidents in the future.

For those affected, Sonrisas Dental Health has established a toll-free call center to answer questions and address concerns. The call center is available Monday through Friday from 5:00 a.m. to 5:00 p.m. Pacific Time at 1-833-998-6949.

Affected individuals are encouraged to remain vigilant by monitoring their financial accounts for suspicious activity, requesting free credit reports from the three major credit bureaus, and considering placing a fraud alert or security freeze on their credit files.

The company’s notice also includes detailed steps for protecting personal and financial information, such as reporting any fraudulent activity to law enforcement, utilizing resources from the Federal Trade Commission, and taking advantage of free annual credit reports.

Given that this was a ransomware attack by a known cybercriminal group, it is especially important for affected individuals to take these recommended precautions seriously.