American dental insurer, MCNA Dental, has suffered a ransomware-related data breach that has exposed the data of more than 8.9 million people.
Managed Care of North America (MCNA) Dental has published a data breach notification on its website, informing almost 9 million people that their personal data was compromised.
In a notice published to its website on May 26, 2023 MCNA Dental said that it became aware of malicious actors gaining unauthorized access to its systems on March 6th. An investigation into the data breach revealed that malicious actors had been accessing MCNA Dental’s network since February 26th.
In a notice published May 26th, MCNA says it became aware of unauthorized access to its computer systems on March 6th, 2023, with an investigation revealing that the hackers first gained access to MCNA’s network on February 26th, 2023.
During that time, the hackers stole data that contained the following information for almost nine million patients.
- Full name
- Date of birth
- Phone number
- Social Security number
- Driver’s license number
- Government-issued ID number
- Health insurance (plan information, insurance company, member number, Medicaid-Medicare ID numbers)
- Care for teeth or braces (visits, dentist name, doctor name, past care, x-rays/photos, medicines, and treatment)
- Bills and insurance claims
The notification filed with the Office of the Maine Attorney General says the breach impacted 8,923,662 people, including patients, parents, guardians, or guarantors.
MCNA says it has taken all the appropriate steps to remediate the situation and enhance the security of its systems to prevent similar incidents from occurring in the future. It has also contacted law enforcement authorities to help prevent the misuse of the stolen information.
Additionally, the notice letter sent to impacted individuals enclose instructions on receiving 12 months of free identity theft protection and credit monitoring service through IDX.
However, not every impacted individual will receive a notice as MCNA does not have current addresses for everyone; hence the organization published a substitute notice on IDX, which will stay online for 90 days.
On that notice, people may also find the extensive list of over a hundred healthcare providers indirectly impacted by this incident. However, it is unclear if those entities will publish separate notices of the breach
LockBit Ransomware Gang Claims Attack
The LockBit ransomware gang claimed the cyberattack on MCNA on March 7th, 2023, when the group published the first data samples stolen from the healthcare provider.
LockBit threatened to publish 700GB of sensitive, confidential information they allegedly exfiltrated from MCNA’s networks unless they were paid $10 million. On April 7th, 2023, LockBit released all data on its website, making it available for download by anyone.
As the data is likely in the hands of other threat actors, all impacted users must monitor their credit reports for fraudulent activity and signs of identity theft. Furthermore, users should be careful of targeted phishing emails that use the leaked data to trick recipients into revealing further sensitive information, such as credentials.
Understand Your Rights Regarding MCNA Dental’s Data Breach
MCNA Dental’s Notice of Data Breach states that it will provide 12 months of identity theft protection and credit monitoring to affected individuals. Victims should be aware of their legal rights and any waivers of liability MCNA Dental may require in order to provide these services.
Victims of identity theft are now exposed to a lifetime of fraudulent activity. Criminals use this information to:
- open new financial accounts in victims names,
- take out loans using victims identities,
- obtain medical services,
- use health information to craft phishing and other hacking attacks based on a victims individual health needs,
- obtain government benefits,
- file fraudulent tax returns
- obtain drivers licenses,
- give false information to police during an arrest.