Another reason to hate going to the dentist…a massive data breach involving ransomware which affect 8.9 million
May 30, 2023 |
There is sometimes fear and often plenty of pain going to the dentist. For patients of Managed Care of North America (MCNA) Dental that experience got a lot worse. According to Bleeping Computer a massive data breach has affected 8.9 million patients. Medical/Dental insurance companies are prime targets for hackers as they contain huge troves of personal information including payment details. That was the case with this attack. Names, addresses, social security numbers and other forms of personal information were accessed.
The Notice of Data Breach provides:
What happened?
On March 6, 2023, MCNA became aware of certain activity in our computer system that happened without our permission. We quickly took steps to stop that activity. We began an investigation right away. A special team was hired to help us. We learned a criminal was able to see and take copies of some information in our computer system between February 26, 2023 and March 7, 2023.
What information may have been involved?
Here is the kind of information that was seen and taken:
- Information used to contact you, like first and last name, address, date of birth, phone number, email
- Social Security number
- Driver’s license number/other government-issued ID number
- Health insurance (plan information, insurance company, member number, Medicaid-Medicare ID numbers)
- Care for teeth or braces (visits, dentist name, doctor name, past care, x-rays/photos, medicines, and treatment)
- Bills and insurance claims
Some of this information was for a parent, guardian, or guarantor. A guarantor is the person who paid the bill. Information which was seen and taken was not the same for everyone.
Why did this happen?
A criminal accessed our computer system without our permission.
What was done about it?
When we learned about the activity, we immediately began an investigation. Law enforcement was contacted. We are also making our computer systems even stronger than before because we do not want this to happen again.
We would like to offer you an identity theft protection service. We will pay for the cost of this service for 1 year so that it is free for you. Please click here to sign up for this service.
What should I do?
You can sign up for the identity theft protection service. Please check your bills and accounts to be sure they look correct. Please click here for steps on how to do that.
What if I have a question?
If you have any questions or concerns, please call us toll free at 1-888-220-5006. You can also review the “Incident Information” section below for more information.
We are sorry for any concern this event may cause. We are mailing letters to people whose information may have been involved in this event. Because we may not have addresses for everyone, we are posting this substitute notice on this website, as allowed by the Health Insurance Portability and Accountability Act (HIPAA). This substitute notice will remain active for at least 90 days.
The Bleeping Computer article provides:
Managed Care of North America (MCNA) Dental has published a data breach notification on its website, informing almost 9 million patients that their personal data were compromised.
MCNA Dental is one of the largest government-sponsored (Medicaid and CHIP) dental care and oral health insurance providers in the U.S.
In a notice published Friday, MCNA says it became aware of unauthorized access to its computer systems on March 6th, 2023, with an investigation revealing that the hackers first gained access to MCNA’s network on February 26th, 2023.
During that time, the hackers stole data that contained the following information for almost nine million patients.
- Full name
- Address
- Date of birth
- Phone number
- Social Security number
- Driver’s license number
- Government-issued ID number
- Health insurance (plan information, insurance company, member number, Medicaid-Medicare ID numbers)
- Care for teeth or braces (visits, dentist name, doctor name, past care, x-rays/photos, medicines, and treatment)
- Bills and insurance claims
The notification filed with the Office of the Maine Attorney General says the breach impacted 8,923,662 people, including patients, parents, guardians, or guarantors.
MCNA says it has taken all the appropriate steps to remediate the situation and enhance the security of its systems to prevent similar incidents from occurring in the future. It has also contacted law enforcement authorities to help prevent the misuse of the stolen information.
Additionally, the notices sent to impacted individuals enclose instructions on receiving 12 months of free identity theft protection and credit monitoring service through IDX.
However, not every impacted individual will receive a notice as MCNA does not have current addresses for everyone; hence the organization published a substitute notice on IDX, which will stay online for 90 days.
On that notice, people may also find the extensive list of over a hundred healthcare providers indirectly impacted by this incident. However, it is unclear if those entities will publish separate notices of the breach.
LockBit claimed the attack
The LockBit ransomware gang claimed the cyberattack on MCNA on March 7th, 2023, when the group published the first data samples stolen from the healthcare provider.
LockBit threatened to publish 700GB of sensitive, confidential information they allegedly exfiltrated from MCNA’s networks unless they were paid $10 million.
On April 7th, 2023, LockBit released all data on its website, making it available for download by anyone.
As the data is likely in the hands of other threat actors, all impacted users must monitor their credit reports for fraudulent activity and signs of identity theft.
Furthermore, users should be careful of targeted phishing emails that use the leaked data to trick recipients into revealing further sensitive information, such as credentials.