On October 22, 2023, First Choice Dental, which operates 12 dental clinics in Madison and Dane counties in Wisconsin, suffered a ransomware attack. The dental care provider agreed to settle the litigation arising from the data security incident.
First Choice Dental published a temporary notification regarding the incident, notifying patients about the compromise of some of their protected health information (PHI) as required by HIPAA certification. While issuing the breach notification, the cyberattack investigation was in progress. First Choice Dental sent to the HHS Office for Civil Rights an interim notification that the breach affected 1,000 individuals.
First Choice Dental mentioned that it discovered unauthorized system activity on October 22, 2023, yet did not know how many people were affected or the types of information exposed. The healthcare provider started mailing breach notification letters to affected individuals on July 12, 2024, which is 9 months after the attack. The notification mentioned that the compromised data included names, birth dates, passport numbers, Social Security numbers, government ID numbers, driver’s license numbers, credit/debit card numbers, and medical data. The listing on the HHS Office for Civil Rights breach portal still indicates that the data breach affected 1,000 individuals, though the data breach affected more than 159,000 individuals.
On July 17, 2024, plaintiff Kelly Gorder filed the first class action lawsuit associated with the data breach in the Dane County Circuit Court of the State of Wisconsin, versus FCDG Management, LLC, d/b/a First Choice Dental. Another six lawsuits had been filed because of the data breach, which were combined in a single action – Kelly Gorder, et al., v. FCDG Management, LLC d/b/a First Choice Dental.
Based on the combined class action lawsuit, the data breach might have been avoided if First Choice Dental had employed the proper safety measures and adopted industry-standard data protection strategies. The lawsuit stated claims of negligence, negligence per se, breach of fiduciary duty, invasion of privacy, breach of implied contract, unjust enrichment, and breach of Wisconsin Statute § 146.82.
First Choice Dental does not admit the claims and arguments in the lawsuit and states that it did no wrong or liability. On January 6, 2025, First Choice Dental submitted a motion to dismiss the class action lawsuit. That effort partly succeeded, with the court dropping the claims of unjust enrichment and invasion of privacy. However, the other claims were permitted to move forward. After considering the time and cost of the lawsuit, and the uncertainty of a trial and appeals, all parties negotiated on July 1, 2025, and agreed to the principal terms of a settlement. The court has already given the finalized settlement its preliminary approval.
The settlement class is composed of 159,145 people who were informed about the data breach. Those people are eligible to claim a CyEx Medical Shield Monitoring membership for three years, including an identity theft insurance policy for $1 million. Additionally, class members could claim either a refund of documented, unreimbursed out-of-pocket expenditures as a result of the data breach up to $6,000 per class member or a one-time $50 cash payment.
Claims are to be paid after paying the administration fees, attorneys’ fees and expenditures, service awards, and security enhancements worth $225,000. The total settlement expenses, including the above, are up to $1,225,000. Claims will be adjusted pro-rata when the total exceeds $1,225,000.
The last day to submit a claim is January 28, 2026. The schedule of the final fairness hearing is January 12, 2026. Those who wish to disagree with or exempt themselves from the settlement should do it on or before December 29, 2025. More details are available on the settlement website.
