MMG Fusion 2020 Data Breach
ObscureIQ Breach Intelligence
High SeverityWebsite / service breach
MMG Fusion Dental Practice Management Platform Breach: 15 Million Patient Appointment & Contact Records Exposed
Dental practice management and marketing platform.
Verified by ObscureIQ Intelligence
65/100Breach Risk Index
25Data Value
25Market Recency
406dSince Breach
Breach Intelligence Summary
Entity: MMG Fusion · Actor: Unknown · Sources: 7 references
Attack: Misconfiguration
Profile: Healthcare Technology Company · Dental practice management and patient workflow services · Dental practice management platform · Global
Timeline: Breach (2020-12-20) · Indexed (Mar 17, 2025) · Year (2020)
Exposure: 15.5M records · 9 fields: Appointments, Date of Birth, Email Address, Full Name, Gender, Password, Phone Number, Physical Address, Relationship Status
Status: Confirmed
Executive Summary
MMG Fusion, a Maryland-based dental practice management and marketing software company, suffered a data breach beginning on December 20 to 21, 2020 when an unauthorized actor infiltrated MMG's internal network and accessed and exfiltrated patient data from MMG's databases serving its dental-practice clients. The breach was not reported by MMG to HHS, to its covered-entity dental-practice clients, or to affected patients. The U.S. Department of Health and Human Services Office for Civil Rights only became aware of the incident in January 2023 when it received a complaint about an unreported security incident and the appearance of MMG-attributed protected health information on the dark web. OCR initiated a formal investigation in March 2023, and after nearly three years of investigation, announced a settlement with MMG on March 5, 2026 that included a $10,000 financial penalty and a three-year corrective action plan. The breach affected approximately 15 million individuals across MMG's dental-practice client base, with Have I Been Pwned indexing approximately 2.6 million unique email addresses among the records. Compromised fields included names, phone numbers, mailing addresses, email addresses, dates of birth, genders, marital status, physical addresses, dates and times of dental appointments, and a smaller number of bcrypt-hashed passwords for users with MMG portal accounts. The combination of contact details, demographic information, and dental-appointment dates provides unusual support for highly targeted phishing because attackers can reference real upcoming or past appointments by date and time. For affected patients, the practical risk profile is unusual because of the appointment-record exposure. The combination of name, date of birth, address, phone number, and confirmed dental-appointment dates supports targeted phishing referencing real visits, including fraudulent appointment-confirmation messages, billing-themed scams referencing real services, and identity-verification bypass at financial institutions where dental-practice context is volunteered as background. Affected patients with bcrypt-hashed password exposure should change passwords on any accounts where they reused the same password as their MMG-affiliated dental-practice portal. Because MMG never notified affected patients directly, many individuals remain unaware they were included in the dataset, and the risk of legacy phishing referencing genuine appointment information remains active years after the original breach.
ObscureIQ assessment: High risk of identity theft, insurance fraud, and treatment-themed phishing. Dental platform data is especially sensitive because it may expose patient, provider, and financial workflows together.
Breach Impact
The institutional impact on MMG Fusion was substantial in regulatory and reputational terms but limited in financial penalty. The HHS settlement of $10,000 plus a three-year corrective action plan resolved the formal federal investigation, but the company appears to no longer operate as an active business. Affected dental-practice covered entities were never notified by MMG of the breach, leaving downstream patient-notification obligations effectively unfulfilled by the original responsible party. Civil litigation has been limited because the underlying breach occurred in 2020 and the disclosure delay placed many class-action timelines at risk under state breach-notification statutes. The case has been widely cited in HIPAA compliance training as a leading example of business-associate notification failure and the consequences of inadequate risk analysis. Dental-practice covered entities that contracted with MMG have faced their own derivative reputational and litigation exposure.
About MMG Fusion
MMG Fusion, LLC was a Maryland-based cloud-based software solutions provider founded in 2015 that supplied dental practice management and patient engagement tools to dental and orthodontic practices across the United States. The platform provided automated marketing, patient engagement, appointment reminders, online review management, and front-office workflow tools to its dental-practice clients. As a HIPAA business associate to numerous covered-entity dental practices, MMG Fusion held aggregated patient identity, contact, scheduling, appointment, and limited treatment records across millions of dental patients. The company operated the platform as a SaaS product accessed through web browsers, with both all-in-one and modular subscription offerings. By 2026 reporting, MMG Fusion was characterized in HHS settlement coverage as a company that effectively no longer exists as an active operating business.
Why They Hold Your Data
Dental practice-management platforms collect patient identity, contact details, insurance, billing, scheduling, treatment, and office workflow records across dental operations.
Recent Developments
The MMG Fusion breach went unreported by the company for more than two years. On March 5, 2026, the U.S. Department of Health and Human Services Office for Civil Rights announced a settlement with MMG Fusion to resolve HIPAA violations stemming from the 2020 breach. The settlement included a $10,000 financial penalty and a three-year corrective action plan to be monitored by HHS. The settlement amount drew widespread industry commentary as remarkably small relative to the 15-million-individual breach scope, with healthcare-compliance commentators citing the case as illustrative of HHS's limited enforcement capacity for covered entities and business associates that have effectively wound down. OCR found that MMG had impermissibly disclosed PHI of approximately 15 million individuals, failed to conduct an accurate and thorough risk analysis of electronic PHI, and failed to notify affected covered entities about the breach as required under the HIPAA Breach Notification Rule.
Data Points Exposed
9 verified field types
Appointments
Date of Birth High
Email Address
Full Name High
Gender
Password Critical
Phone Number
Physical Address High
Relationship Status
Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.
Exploitation & Downstream Threats
Threat Activity:Critical
Primary downstream threats:
- Credential stuffing against reused passwords across other platforms
- Identity verification bypass using name + date of birth combination
- SIM swap attacks where phone numbers are present
- Targeted phishing campaigns using exposed email addresses
- Doxxing risk from physical address exposure
Threat vectors:
- Vacancy confirmation & medical fraud
- Identity verification bypass
- Phishing, credential stuffing & account takeover
- Name-based social engineering
- Profile enrichment
- Credential stuffing & account takeover
- SIM swapping, vishing & SMS phishing
- Physical stalking, mail fraud & identity verification
- Home targeting, stalking & physical threat
- Social engineering context
- Romance & family emergency fraud
Recommended Actions
If you believe your information may be included:
Change Reused Passwords
Update this account and anywhere you reused the password; use a manager.
Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
Frequently Asked Questions
What happened in the MMG Fusion breach?▾
MMG Fusion, a Maryland-based dental practice management and marketing software company, suffered a data breach beginning on December 20 to 21, 2020 when an unauthorized actor infiltrated MMG's internal network and accessed and exfiltrated patient data from MMG's databases serving its…
What data was exposed?▾
Verified fields include Appointments, Date of Birth, Email Address, Full Name, Gender, Password, Phone Number, Physical Address, Relationship Status.
What should I do if I was affected?▾
Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.
Sources & References
Every claim on this page is traceable. This breach draws on:
Breach Index
Breach Index
Cross-source
9ghz
Cross-source
BreachForums_Official_Index
Cross-source
Dehashed
Cross-source
Keeper
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Protect Yourself
Check If You're Affected
Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.
Get Free Breach Alerts
Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.
High-Risk? Get an Exposure Audit
Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.
Request Consultation