Attack by notorious ransomware group compromises personal data of 8.9M dental insurance members

Data breaches for the year have reached the high-water mark with the data of nearly 9 million individuals being compromised in a reported cyberattack on one of the country’s largest dental health insurers.

Managed Care of North America posted a notice Friday that unauthorized activity had been detected on its computer systems on March 6. Between Feb. 26 and March 7, the company stated that a digital intruder “was able to see and take copies of some information in our computer system.” Information stolen included patient and “parent, guardian or guarantor” personal data and information such as names, dates of birth and Social Security and driver’s license numbers.

In a data breach notification filed with Maine’s attorney general, the information of over 8.9 million people was compromised. This makes the attack the largest cyber breach this year to date, outpacing the second-largest attack of PharMerica, which exposed the data of 6 million patients.

MCNA counts itself as the largest dental insurer in the country for government-sponsored plans covering children and seniors. The payer works with states Medicaid agencies and the Children’s Health Insurance Program, including Aetna Better Health of New York, Empire BlueCross BlueShield HealthPlus and MetroPlus Health Plan, all of which “may have” lost information, according to MCNA.

“We quickly took steps to stop that activity,” the company wrote in a notice of the data breach on its website. “We began an investigation right away. A special team was hired to help us.”

"When we learned about the activity, we immediately began an investigation. Law enforcement was contacted. We are also making our computer systems even stronger than before because we do not want this to happen again," the company said in the statement.

The Atlanta-based insurer wrote on its website that it will be providing an identity theft protection service for one year without cost to those whose data were stolen. The personal information of children was also accessed in the attack. Aside from the loss of Social Security numbers, health insurance data, such as plan information and Medicaid ID numbers, along with bill and insurance claim information was also accessed.

The LockBit ransomware group claimed responsibility for the attack, according to reporting from TechCrunch. After MCNA refused to pay $10 million in ransom, the sensitive information was uploaded onto the notorious ransomware gang’s dark website. Samples of the leaked data confirm the control of patient data totaling 700GB. The data were uploaded to the gang’s website on April 7 and are now for sale.

Paying a ransom does not guarantee the return of data, according to the FBI. The FBI, which investigates cybercrime, does not support paying ransom in response to a ransomware attack. Rather than securing lost data and future security, the FBI states that paying ransom “encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity.”

Javvad Malik, lead security awareness advocate at security awareness and training solutions company KnowBe4, said the information stolen in the latest breach is a "treasure trove for criminals who can use it to conduct identity theft or social engineering attacks."

"This incident highlights the importance of investing in cybersecurity, especially identifying the root causes of ransomware attacks. Inevitably, these causes are linked to social engineering tactics such as phishing, unpatched software, poor authentication, and the lack of multi-factor authentication. Addressing these issues through effective employee training, system updates, and robust security controls can help prevent future data breaches. Organizations should prioritize cybersecurity and ensure that they implement the necessary measures to protect their customer data. As we can see from this attack, the cost of inaction is simply too high," Malik said.

LockBit is a Russia-linked gang first detected in September 2019 and is one of the most prolific ransomware groups. The group gained attention by targeting well-known companies like SpaceX and one of its alleged leaders, dual Russian-Canadian citizen Mikhail Vasiliev, was arrested in November in Ontario, Canada. 

In response to the marauding gang, the federal Cybersecurity and Infrastructure Security Agency has advised companies to prioritize remediating known vulnerabilities in their systems, training employees to spot phishing and enabling multifactor authentication.

National consumer rights law firm Wolf Haldenstein Adler Freeman & Herz LLP has already begun investigating claims on behalf of patients whose information may have been stolen. 

MCNA stated on its website that it would be mailing letters to those whose information is suspected of being tampered with. For those whose addresses they do not have, links to the identity theft protection service is listed on the insurer’s website.