MMG Fusion, a Maryland-based dental practice management and marketing software company, suffered a data breach beginning on December 20 to 21, 2020 when an unauthorized actor infiltrated MMG's internal network and accessed and exfiltrated patient data from MMG's databases serving its dental-practice clients. The breach was not reported by MMG to HHS, to its covered-entity dental-practice clients, or to affected patients. The U.S. Department of Health and Human Services Office for Civil Rights only became aware of the incident in January 2023 when it received a complaint about an unreported security incident and the appearance of MMG-attributed protected health information on the dark web. OCR initiated a formal investigation in March 2023, and after nearly three years of investigation, announced a settlement with MMG on March 5, 2026 that included a $10,000 financial penalty and a three-year corrective action plan.

The breach affected approximately 15 million individuals across MMG's dental-practice client base, with Have I Been Pwned indexing approximately 2.6 million unique email addresses among the records. Compromised fields included names, phone numbers, mailing addresses, email addresses, dates of birth, genders, marital status, physical addresses, dates and times of dental appointments, and a smaller number of bcrypt-hashed passwords for users with MMG portal accounts. The combination of contact details, demographic information, and dental-appointment dates provides unusual support for highly targeted phishing because attackers can reference real upcoming or past appointments by date and time.

For affected patients, the practical risk profile is unusual because of the appointment-record exposure. The combination of name, date of birth, address, phone number, and confirmed dental-appointment dates supports targeted phishing referencing real visits, including fraudulent appointment-confirmation messages, billing-themed scams referencing real services, and identity-verification bypass at financial institutions where dental-practice context is volunteered as background. Affected patients with bcrypt-hashed password exposure should change passwords on any accounts where they reused the same password as their MMG-affiliated dental-practice portal. Because MMG never notified affected patients directly, many individuals remain unaware they were included in the dataset, and the risk of legacy phishing referencing genuine appointment information remains active years after the original breach.

Dental practice-management platforms collect patient identity, contact details, insurance, billing, scheduling, treatment, and office workflow records across dental operations.

The MMG Fusion breach went unreported by the company for more than two years. On March 5, 2026, the U.S. Department of Health and Human Services Office for Civil Rights announced a settlement with MMG Fusion to resolve HIPAA violations stemming from the 2020 breach. The settlement included a $10,000 financial penalty and a three-year corrective action plan to be monitored by HHS. The settlement amount drew widespread industry commentary as remarkably small relative to the 15-million-individual breach scope, with healthcare-compliance commentators citing the case as illustrative of HHS's limited enforcement capacity for covered entities and business associates that have effectively wound down. OCR found that MMG had impermissibly disclosed PHI of approximately 15 million individuals, failed to conduct an accurate and thorough risk analysis of electronic PHI, and failed to notify affected covered entities about the breach as required under the HIPAA Breach Notification Rule.