Absolute Dental Group Settles Data Breach Class Action for $3.3 Million After 1.2 Million Patient Records Exfiltrated Over 15 Days

On December 12, 2025, Absolute Dental Group, LLC finalized a class action settlement in the United States District Court for the District of Nevada (Case No. 2:25-cv-00986-JAD-DJA) that will pay $3,300,000 to resolve claims arising from a cyberattack that compromised the personal and medical information of 1,223,437 patients across the United States. The breach, which occurred between February 19, 2025 and March 5, 2025, exposed Social Security numbers, driver’s license numbers, dates of birth, medical diagnoses, treatment information, insurance policy details, and other health-related data.

Absolute Dental became aware of the incident on February 26, 2025. By that time, unauthorized actors had already been inside the company’s information systems for seven days. The exfiltration continued for an additional seven days after initial detection, bringing the total window of compromise to 15 days. The settlement agreement, filed on December 19, 2025, acknowledges that the company “determined that, between February 19, 2025 and March 5, 2025, an unauthorized party accessed some of Absolute Dental’s systems and potentially exfiltrated information pertaining to certain of Absolute Dental’s patients and employees.”

The named plaintiffs—Kathleen Jordan, Marlo Eastman, Edwina Jackson, Amanda Maduike-Iwata, and Viridiana Tinajero Monterroza—filed their initial complaints in June 2025, alleging negligence, breach of fiduciary duty, and violations of state consumer protection laws. After voluntary dismissal of parallel state court actions, the consolidated federal case proceeded to mediation on October 29, 2025, facilitated by Bennett G. Picker, Esq., of Stradley Ronon LLP.

The settlement does not include Judge Consulting, Inc. (JCI), a defendant vendor named in the operative Second Amended Complaint. Litigation against JCI continues. The release explicitly states: “This Settlement does not release, and it is not the intention of the Parties to this Settlement to release, any claims against any other party, including but not limited to JCI.”

The Non-Financial Ledger

The stolen data was not abstract. It was the medical history of children receiving their first dental cleanings. It was the Social Security numbers of elderly patients on fixed incomes who now face elevated identity theft risk for the rest of their lives. It was the insurance guarantor information of single parents who trusted a dental chain to secure their family’s most sensitive details.

For 15 days, an unauthorized party had unrestricted access to records containing diagnoses, treatment plans, provider identification numbers, emergency contact information, and billing data. Patients who visited Absolute Dental for a routine cleaning in early 2025 are now forced to monitor credit reports, freeze accounts, and explain to potential lenders why fraud alerts are attached to their names.

The settlement agreement contains no victim impact statements. There are no testimonials from the 1,223,437 people whose privacy was violated. The closest the document comes to acknowledging human harm is a definition: “Documented Loss refers to monetary losses incurred by a Class Member and supported by Reasonable Documentation for attempting to remedy or remedying issues that are more likely than not a result of the Data Incident.”

Translation: If you didn’t keep your receipts, your suffering doesn’t count.

One plaintiff, Edwina Jackson, signed the settlement agreement on December 17, 2025. Her name appears on page 32 of the filing. She is one of five. The other 1,223,432 people are listed in a spreadsheet provided to the settlement administrator within 14 days of preliminary approval. They are data points in a CSV file.

Absolute Dental sent breach notification letters to affected individuals. Those letters likely included boilerplate language about “an abundance of caution” and “no evidence of misuse at this time.” The settlement agreement confirms that “all persons who were sent notice of the Data Incident” are members of the settlement class. If you received a letter, you’re in. If you didn’t, you might still be in—but you’ll never know unless you actively check the settlement website once it launches.

The emotional toll of a medical data breach is not compensable under this settlement unless you paid someone to help you deal with it and you kept the invoice.

Legal Receipts

“WHEREAS, on February 26, 2025, Absolute Dental became aware of a potential issue involving its information systems and, after an investigation, determined that, between February 19, 2025 and March 5, 2025, an unauthorized party accessed some of Absolute Dental’s systems and potentially exfiltrated information pertaining to certain of Absolute Dental’s patients and employees.” — Settlement Agreement, Recitals

“WHEREAS, in connection with the Data Incident, the Personal Information of approximately 1,223,437 individuals in the United States was potentially compromised.” — Settlement Agreement, Recitals

“Settlement Fund means the sum of Three Million Three Hundred Thousand Dollars and No Cents ($3,300,000.00), to be paid by Absolute Dental and/or its insurers.” — Settlement Agreement, Section 1.45

“Documented Loss Payment. Class Members may submit a claim for a Settlement Payment of up to $5,000.00 for reimbursement of a Documented Loss. These losses include (i) documented out-of-pocket expenses such as: (a) bank fees, (b) long-distance phone charges, (c) cell phone charges (only if charged by the minute), (d) data charges (only if charged based on the amount of data used), (e) postage, (f) gasoline for local travel; and (ii) documented fees for credit reports, credit monitoring, or other identity theft insurance products, and other losses resulting from the Data Incident.” — Settlement Agreement, Section 3.4(a)

“To receive a Documented Loss Payment, a Class Member must choose to do so on their Claim Form and submit to the Settlement Administrator the following: (i) a valid Claim Form electing to receive the Documented Loss Payment; (ii) an attestation regarding any actual and unreimbursed Documented Loss made under penalty of perjury; and (iii) Reasonable Documentation that demonstrates the Documented Loss to be reimbursed pursuant to the terms of the Settlement and that the loss is more likely than not related to the Data Incident.” — Settlement Agreement, Section 3.4(a)

“This Settlement does not release, and it is not the intention of the Parties to this Settlement to release, any claims against any other party, including but not limited to JCI.” — Settlement Agreement, Section 4.1

“Class Counsel may file a motion seeking an award of attorneys’ fees of up to one-third of the Settlement Fund, and, separately, reasonably incurred litigation expenses and costs.” — Settlement Agreement, Section 9.1

“Absolute Dental shall have the unilateral right to terminate the Agreement and all of Absolute Dental’s payment obligations hereunder, except for Administrative Expenses actually incurred, if, in the aggregate, more than five percent (5%) of Settlement Class Members submit Requests for Exclusion electing to exclude themselves from the Settlement Class pursuant to this Agreement.” — Settlement Agreement, Section 10.7

“This Agreement, whether or not consummated, any communications and negotiations relating to this Agreement or the Settlement, and any proceedings taken pursuant to the Agreement shall not be offered or received against Absolute Dental as evidence of or construed as or deemed to be evidence of any presumption, concession, or admission by Absolute Dental with respect to the truth of any fact alleged by any Plaintiffs or the validity of any claim.” — Settlement Agreement, Section 11.1

Societal Impact Mapping

Environmental Degradation

Not applicable to this case. No environmental harm is alleged or documented.

Public Health

The breach of 1,223,437 medical records represents a systemic failure in healthcare data security. Medical records contain information that can be used to commit insurance fraud, obtain prescription medications under false identities, and blackmail individuals based on sensitive diagnoses. Unlike credit card numbers, which can be canceled and reissued, medical information is permanent. A stolen diagnosis of a mental health condition, a sexually transmitted infection, or a genetic disorder can never be “reset.”

The breach occurred in February 2025, but affected individuals may not experience the consequences for years. Identity thieves often hold stolen data in reserve, waiting for public attention to fade before deploying it. Medical identity theft is notoriously difficult to detect because victims often do not know it has occurred until they are denied insurance coverage, billed for procedures they never received, or arrested for fraudulent prescriptions written in their name.

The settlement provides two years of credit monitoring services to claimants who submit valid forms. After those two years expire, victims are on their own. The risk, however, persists indefinitely.

Economic Inequality

The $3.3 million settlement fund will be distributed as follows: (1) administrative expenses, (2) attorneys’ fees of up to one-third of the fund ($1.1 million), (3) service awards of up to $2,500 per named plaintiff ($12,500 total for five plaintiffs), and (4) settlement payments to class members who file valid claims.

Assuming administrative costs consume 10% of the fund ($330,000) and attorneys take the maximum one-third ($1.1 million), that leaves approximately $1.87 million for the 1,223,437 victims. If every single affected person filed a claim, the per-person payout would be $1.53. In practice, claim rates in data breach settlements average 3-10%. If 5% of the class submits claims (61,172 people), each claimant would receive approximately $30.58 before taxes.

Victims who can document losses up to $5,000 with receipts will be reimbursed in full—until the fund runs out. The settlement administrator will process documented loss claims first, then distribute any remaining funds as “Cash Fund Payments” on a pro-rata basis. California residents receive double the payout of non-California residents due to state-specific consumer protection laws.

The economic calculation is clear: Absolute Dental Group is paying $2.70 per compromised record. By comparison, the average cost of a data breach in the healthcare sector in 2025 is estimated at $408 per record according to industry reports. The company is settling for less than 1% of the actuarial cost of the harm it caused.

Judge Consulting, Inc., the vendor implicated in the breach, is not contributing to the settlement fund. If JCI is found liable in the ongoing litigation, victims may receive additional compensation—but only if they did not opt out of this settlement, and only if they file new claims in the subsequent proceeding. The settlement agreement preserves the right to sue JCI but does not coordinate with that litigation. Victims must monitor two separate legal actions and file claims in both to maximize recovery.

This is not justice. This is a math problem designed to minimize corporate liability while creating the appearance of accountability.

What Now?

Absolute Dental Group, LLC is a privately held company. Its ownership structure is not disclosed in public filings. The settlement agreement lists Dave Drzewiecki as the signatory “On Behalf of Defendant Absolute Dental Group, LLC.” No CEO, CFO, or CISO is named in the court documents. The board of directors, if one exists, is not identified.

Legal counsel for Absolute Dental is Sean G. Wieber of Winston & Strawn LLP, a global law firm with offices in Chicago, Illinois. Winston & Strawn represents Fortune 500 companies in high-stakes litigation. Their involvement suggests Absolute Dental Group has access to significant financial resources and institutional insurance coverage.

Class counsel includes Andrew W. Ferich of Ahdoot & Wolfson, PC; Andrew E. Mize of Stranch, Jennings & Garvey PLLC; Jessica A. Wilkes of Federman & Sherwood; Mariya Weekes of Milberg LLC; and Nickolas J. Hagman of Cafferty Clobes Meriwether & Sprengel LLP. These firms specialize in consumer class actions and data breach litigation.

The settlement will be administered by Epiq Class Action & Claims Solutions, Inc., a third-party administrator commonly used in large-scale settlements.

If you were a patient or employee of Absolute Dental Group and received a breach notification letter in 2025, you are likely a member of the settlement class. You have 90 days from the Notice Date (to be determined after preliminary approval) to file a claim. You can opt out within 60 days if you wish to preserve your right to sue independently. You can object to the settlement within 60 days if you believe it is inadequate.

Watchlist of Regulatory Bodies: The U.S. Department of Health and Human Services Office for Civil Rights (OCR) enforces HIPAA. The Federal Trade Commission (FTC) has authority over unfair and deceptive practices in healthcare data security. The Nevada Attorney General’s Office has jurisdiction over consumer protection violations within the state. File complaints with all three.

Grassroots Resistance: Demand mandatory third-party security audits for all healthcare providers handling more than 100,000 patient records. Support legislation requiring per-record penalties of $1,000 minimum for breaches caused by negligence, with funds directed to victims, not government coffers. Organize local data privacy coalitions to track corporate settlements and publish the names of executives who approve inadequate cybersecurity budgets. Make it expensive to fail.