The Qilin ransomware gang is threatening to publish a cache of sensitive files potentially linked to millions of individuals and dental practices after the group claims to have exfiltrated data from the US-based healthcare organization over the weekend.

The Russian-linked cybercriminal group listed the Los Angeles-based dental referral service and business-to-business (B2B) marketing solutions firm on its dark victim blog on Sunday.

“The full leak will be published soon, unless a company representative contacts us via the channels provided,” the extortionists wrote on their leak site.

Although 1-800-Dentist has not confirmed any cyber incident, an attack could have compromised “the personal data belonging to millions of consumers and dental practices that rely on the company’s referral platform,” according to the Almeida Law Group.

Along with threatening to leak the company’s sensitive data unless they pay an undisclosed ransom fee, Qilin also posted 11 sample files as proof of its handiwork in the victim entry.

Cybernews has reached out to 1-800-Dentist and is awaiting response at the time of this report.

Potential patient data as risk

Founded in 1986 by parent company Futuredontics, 1-800-Dentist collects the consumer information of roughly 2 million callers each year and matches an average 400,000 patients with dental offices nationwide, the Almeida Law Group said.

This includes 25,000 dentist members belonging to the company’s network of independent practitioners, dental practice groups, and major dental support organizations (DSOs) nationwide, the 1-800-Dentist website states.

Although Qilin did not disclose exactly how much data – or what type of data – it allegedly stole from 1-800-Dentist, the free service collects a ton of personally identifiable information (PII) and health-related data from potential patients.

According to the 1-800-Dentist website patient information may include:

• Contact Details: name, address, telephone number, and email address.
• Dental services requested
• Medical and dental history
• Medical images of teeth or gums upon request
• Intended method of payment
• Dental insurance provider

Furthermore, collected member information potentially compromised could include practice contact information, patient acquisition data, and employee information.

Additionally, 1-800-Dentists serves thousands of dental practices, providing two major technology platforms including its “PatientLeads Acquisition Engine,” which promotes pay-per-call leads, lead generation, AI-marketing tools, and performance management.

The company also offers its “PatientActivator Platform," a automated patient communication platform designed to handle appointment reminders, two-way text messaging support, and online reviews for patient retention purposes.

This means even if a patient did not necessarily obtain their dentist by contacting 1-800-Dentist, their information could be at risk.

Why dental practices should worry

Dental practices have specific obligations under the Health Insurance Portability and Accountability Act (HIPAA), which governs how a healthcare entity must protect a patients’ electronic personal health information (ePHI).

“The patient information they electronically collect, maintain, store, and use is a potential gold mine for hackers, cybercriminals, and other technological bad actors who can sell and leverage that data for their own gain or nefarious ends,” says Jordan Uditsky of DDSLawyers, a firm which exclusively serves the dental community.

Citing a study by the Ponemon Institute, Uditsky points out that from 2022 through 2024, dental practices alone suffered a whopping 45% increase in cyberattacks, costing more than $9 million per breach.

And, those figures do not include attacks on third-party vendors a dental practice may work with.

“Such occurrences can quickly metastasize into a legal, financial, and reputational nightmare for dental practice owners,” he said.

Who is Qilin?

First identified by researchers in 2022, the Russian-linked group has rapidly eclipsed many of its rivals, emerging as the most active ransomware gang of 2025 and now 2026.

Its victims include manufacturers, financial firms, retailers, healthcare providers, government agencies, and transportation-related entities.

According to Cybernews’ in-house surveillance tool Ransomlooker, the gang listed more than 1,000 victims in 2025 and has extended that surge into 2026, claiming more than 643 additional victims by the end of June.

Since January, the group listed the global food distributor Sysco Corporation and the US-based commercial real estate giant Cushman & Wakefield, both victims also happening to be claimed by the notorious ShinyHunters extortion group.

Two New York centric breaches were also claimed by the gang in the first half of the year – the Shipping Association of New York & New Jersey (SANYNJ), which runs one of North Amrica’s businest ports, as well as the New York City’s TWU Local 100 – a union representing more than 67,000 active and retired transit workers for the nation’s largest public transportation system.

Operating a ransomware-as-a-service (RaaS) model, Qilin allows affiliates to deploy its malware and leverage its negotiation infrastructure in exchange for a cut of ransom payments.

High-profile claims in 2025 included Japan's Asahi Holdings., digital gaming giant International Game Technology (IGT), Korea’s SK Group, US newspaper group Lee Enterprises, Nissan Japan's design arm, Creative Box, and the controversial religion Scientology.

---

Unlock more exclusive Cybernews content on YouTube.