On June 4, 2026, dental benefits administrator DentaQuest confirmed a breach that exposed sensitive data from 2.6 million customer accounts. The extortion group ShinyHunters claimed responsibility, posting 234GB of stolen data publicly after DentaQuest allegedly failed to meet their ransom demands.
The exposed data included email addresses, full names, phone numbers, government-issued IDs, health insurance information, genders, and dates of birth — exactly the kind of protected health information (PHI) that HIPAA’s Security Rule is designed to safeguard.
DentaQuest serves 35 million customers and manages dental insurance plans for Medicaid programs, Medicare Advantage plans, and employer-sponsored benefits. This is a HIPAA-covered entity with a clear regulatory obligation to implement technical safeguards that restrict PHI access to authorized users and programs.
Those safeguards failed.
The Attack: Exfiltration Requires Reading Files
The article doesn’t detail how ShinyHunters initially gained access to DentaQuest’s network — that could have been phishing, stolen credentials, a third-party vendor compromise, or an unpatched vulnerability. But here’s what we know for certain: before 234GB of customer data could be transmitted to the attacker’s infrastructure, it had to be read from DentaQuest’s file systems.
Data exfiltration isn’t magic. It’s a file operation. The attacker’s tools — whether custom scripts, publicly available exfiltration frameworks, or compromised legitimate applications — had to open files containing PHI, read their contents, and transmit them out of the environment.
Every one of those read operations happened at the Windows kernel level. And every one of them could have been blocked.
How FileSure Blocks Exfiltration at the File System Layer
FileSure Defend operates as a kernel-level filter driver that intercepts file system operations before they reach the disk. It enforces policies that define exactly which programs are authorized to perform which operations on which files.
For a healthcare organization like DentaQuest, a FileSure policy might look like this:
File filter: *.db, *.mdb, *.accdb, *patient*, *insurance*, *member* (database files and any file with patient/insurance/member in the name)
Authorized programs: C:\Program Files\EHR\ehr.exe, C:\Program Files\Billing\billing.exe, C:\Program Files\SQL Server\sqlservr.exe
Allowed operations: Read, Write (only for authorized programs)
Blocked operations: Read by any other program
Action: Block and log
With this policy in place, the only programs that can read files containing patient data are the EHR application, the billing system, and the SQL Server database engine. Everything else — including PowerShell, Python scripts, curl, wget, remote access tools, and whatever custom exfiltration toolkit ShinyHunters deployed — gets blocked at the kernel level.
The attacker’s read operation fails. No data is returned. The exfiltration attempt dies before it starts.
FileSure also logs every blocked attempt with the user name, program name, machine name, file path, and timestamp. Your security team gets immediate visibility into what just tried to access your patient data and failed.
HIPAA Requires This. Most Organizations Don’t Enforce It.
The HIPAA Security Rule’s Technical Safeguards standard (§164.312) explicitly requires covered entities to “implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights.”
Most organizations interpret that as network access controls and user authentication. But once an attacker has a foothold inside your environment — whether through a compromised employee account, a phishing email, or a third-party vendor — network perimeter controls are irrelevant. The attacker is already inside.
File-level access control is the enforcement mechanism that actually implements the “allow access only to authorized programs” requirement. It’s the last line of defense, and it’s the most durable one, because it doesn’t depend on recognizing the attacker’s tools or techniques. It just enforces the rule: these files, these programs, nobody else.
FileSure has been protecting healthcare organizations’ PHI for over 15 years, including legacy Windows systems running medical devices and EHR platforms that can’t be easily upgraded or replaced. It installs on Windows Server 2003 through Windows Server 2025, Windows XP through Windows 11.
If you’re responsible for protecting patient data and you’re not controlling file operations at the kernel level, you’re hoping your perimeter holds forever. DentaQuest just demonstrated how that works out.
Start a free 21-day trial at bystorm.com and see exactly what’s trying to touch your patient data files.