UPDATE: ShinyHunters extortion campaign adds DentaQuest — 234 GB published after refusal to pay, 2.6 M dental-benefit records exposed
From CTI Daily Brief — 2026-06-05 · published 2026-06-05 · view item permalink →
UPDATE (originally covered 2026-06-02): DentaQuest, a Sun Life subsidiary administering dental and vision benefits for ~35 M US Medicaid, Medicare and employer-plan members, is the latest confirmed named victim of the ShinyHunters data-extortion campaign last covered here on the Charter Communications listing. ShinyHunters listed DentaQuest on 23 May with a 27 May ransom deadline and published 234 GB after the deadline passed unpaid; in a 1 June statement DentaQuest confirmed unauthorised access to "a limited portion of its network" (BleepingComputer, 2026-06-04).
The dataset is HIPAA-format ASC X12 claims interchange — names, postal and email addresses, dates of birth, phone numbers, health-insurance details and Medicaid IDs across 2.6 M unique email addresses (BankInfoSecurity, 2026-06-04). DentaQuest's specific attack vector is not publicly confirmed, but the extortion pattern (extortion-without-encryption, a hard deadline, publish-on-refusal) matches the broader ShinyHunters campaign — several of whose other victims this year were reached through compromised cloud-SaaS (Salesforce) access. The operational reminder for defenders is unchanged: this actor monetises pure exfiltration, so backups do not blunt the leverage — detection has to land at the bulk-export stage (large outbound archive transfers from claims systems; and, where cloud-SaaS access has been the entry point for other victims, off-hours SaaS API token generation and anomalous bulk-export API calls).