Chord Specialty Dental Partners (Chord Dental), a third-party dental practice vendor based in Nashville, faces multiple class action lawsuits and a potential HIPAA investigation after a major cyberattack. Chord Dental provides HR, finance, and other administrative services to 60 dental practices and 10 group practices across Tennessee, Indiana, Pennsylvania, New Jersey, Virginia, and Delaware, including pediatric dentistry, orthodontics, oral surgery, and ambulatory surgery centers.

Chord Dental Provides Breach Notice

On March 14, 2025, Chord Dental published a breach notice explaining that it “discovered suspicious activity related to an employee’s email account” on or around September 11, 2024. The company immediately secured its systems and engaged a third-party security team to investigate.

The investigation found that an unauthorized individual had accessed several email accounts between August 19, 2024, and September 25, 2024. The email accounts stored a variety of personal patient information. Chord Dental explained that the information accessed varies by individual and may include:

• Name
• Address
• Social Security number
• Driver’s license
• Bank account information
• Payment card information
• Date of birth
• Medical information
• Health insurance information

Chord Dental said it is unaware of evidence suggesting that any information has been or will be fraudulently misused.

“However, we were unable to rule out the possibility that the information could have been accessed. Therefore, in an abundance of caution, we are notifying potentially impacted individuals of this incident.”

Chord Dental is a HIPAA Business Associate

Dental practices often rely on specialty service providers to carry out administrative tasks.

As Chord Dental notes on its website:

“Our partner practices and providers can lean on our Home Support Office and internal teams, making it easier for dental care teams to focus on the clinical aspects of their practice, and less on the clerical responsibilities of managing a practice.”

As a HIPAA business associate, Chord Dental is responsible for maintaining the privacy and security of patients’ protected health information (PHI) in its care. The Office for Civil Rights (OCR), which enforces HIPAA, investigates all breaches affecting 500 or more, so Chord must respond to this when it happens.

A HIPAA investigation will ask whether Chord Dental follows the Security Rule, conducts a HIPAA Risk Analysis, and follows a Risk Management Plan.

Chord Dental Faces Class Action Lawsuits

In addition to HIPAA enforcement, Chord Dental is already facing at least four proposed federal class action lawsuits related to the breach. At the same time, at least a half-dozen more law firms have issued public statements saying they are also investigating the incident for potential litigation.

The lawsuits make similar claims. One of them, brought by Shequita Eury on behalf of her minor child individually and on behalf of all others similarly situated, claims that Chord Dental was reckless and negligent and failed to safeguard sensitive information, putting the plaintiffs at risk for identity theft and fraud crimes.

Eury’s lawsuit alleges:

“Because of defendants’ failures to prevent – and to timely detect – the data breach, plaintiffs and the proposed class have suffered and will continue to suffer damages, including monetary losses, lost time, anxiety and emotional distress.”

The lawsuits seek similar relief, including financial damages and an injunctive order requiring Chord Dental to improve its cybersecurity.

Follow the Security Rule to Protect PHI

Chord Dental’s HIPAA policies and procedures will be scrutinized in any HIPAA investigation and lawsuits. Although HIPAA does not provide individuals with a right to sue, the plaintiffs, suing for breach of privacy and negligence, will use HIPAA standards as a model to compare against Chord Dental’s security practices.

Covered entities, like the dental providers who engaged Chord Dental, are not necessarily off the hook. During a HIPAA investigation, they may be scrutinized for how well they evaluated their business associates. Did they conduct due diligence, as required by HIPAA? Did they have a HIPAA business associate agreement in place? Had they conducted their own risk analysis?

The Security Rule is a blueprint for preventing cybercrime and the gold standard for attentive safeguards of patient data. Review your data security practices today to ensure you’re following HIPAA. By doing so, you can lessen the risk of data breaches and prepare for defense against lawsuits if breaches happen.