MCNA Dental, a prominent dental care and oral health insurance provider in the United States, has made an announcement on its website regarding a significant data breach affecting nearly 9 million patients.
MCNA Dental primarily serves government-sponsored healthcare programs such as Medicaid and CHIP. The breach occurred when unauthorized access to MCNA’s computer systems was detected on March 6th, 2023, following an investigation that revealed the hackers had gained initial entry to the network on February 26th, 2023.
During this period, the attackers managed to obtain sensitive data belonging to almost 9 million patients. The compromised information includes:
- Full names
- Addresses
- Dates of birth
- Phone numbers
- Email addresses
- Social Security numbers
- Driver’s license numbers
- Government-issued ID numbers
- Health insurance details (such as plan information, insurance company, member numbers, and Medicaid-Medicare ID numbers)
- Dental treatment records (including visits, dentist and doctor names, past care, x-rays/photos, medications and treatments)
- Billing information
The data breach notification, filed with the Office of the Maine Attorney General, confirms that approximately 8,923,662 individuals, including patients, parents, guardians, or guarantors, were affected by this breach.
MCNA Dental has taken necessary actions to address the situation, improve the security of its systems, and prevent similar incidents in the future. The company has also contacted law enforcement agencies to assist in preventing the misuse of the stolen data.
Impacted individuals have been provided with instructions on how to avail themselves of 12 months of free identity theft protection and credit monitoring services through IDX. However, not all affected individuals will receive direct notification as MCNA does not possess current addresses for everyone. In such cases, the organization has published a substitute notice on IDX, which will remain available online for 90 days.
The substitute notice on IDX also contains an extensive list of more than a hundred healthcare providers indirectly affected by the breach. However, it remains uncertain whether these entities will issue separate breach notifications to their own patients.
LockBit has taken responsibility for the attack.
On March 7th, 2023, the LockBit ransomware group claimed responsibility for the cyberattack on MCNA. They made their involvement known by publishing initial samples of the stolen data from the healthcare provider.
LockBit demanded a ransom of $10 million from MCNA, threatening to publicly release approximately 700GB of sensitive and confidential information that they allegedly exfiltrated from MCNA’s networks.
On April 7th, 2023, LockBit followed through on their threat and made all the stolen data available for download on their website, making it accessible to anyone.
Given that the data is now potentially in the possession of other malicious actors, all individuals affected by the breach are advised to closely monitor their credit reports for any suspicious activity or signs of identity theft.
Additionally, users should exercise caution regarding targeted phishing attempts that may exploit the leaked data in an attempt to deceive recipients into disclosing further sensitive information, such as login credentials.