The LockBit ransomware group has claimed responsibility for an attack on MCNA Dental, one of the largest Medicaid and CHIP dental care and oral health insurance providers in the United States. More than 8.9 million individuals have been affected and had their sensitive data stolen. The LockBit gang issued a ransom demand of $10 million to prevent the release of the stolen data, then proceeded to leak the data when the ransom was not paid.
Managed Care of North America (MCNA), which does business as MCNA Dental, has recently confirmed the attack and explained in its notification letters that unauthorized individuals installed malicious code on certain systems. The cyberattack was detected on March 6, 2023, and access to its network was blocked by March 7, 2023. The forensic investigation confirmed that an unauthorized individual gained access to its network on February 26, 2023. files were exfiltrated from its systems between February 26 and March 7 that contained information classed as protected health information under the Health Insurance Portability and Accountability Act (HIPAA).
The types of information compromised in the attack varied from individual to individual and may have included an individual’s name along with one or more of the following types of information: address, telephone number, email address, date of birth, Social Security number, driver’s license number, government-issued ID number, health insurance information, Medicare/Medicaid ID number, group plan name, group health plan number, and dental and orthodontic care information.
MCNA Dental said it has enhanced its security safeguards and monitoring capabilities in response to the attack and has offered affected individuals complimentary credit monitoring services. MCNA Dental said it is unaware of any misuse of the affected information; however, it is highly likely that there will be attempted misuse of the stolen data as the LockBit ransomware group published the files on its data leak site, where it has been available for download since April 7, 2023. As such, anyone receiving a breach notification letter should ensure that the credit monitoring services are activated and they should also consider placing a freeze on their credit file with one of the 3 national credit monitoring agencies.
The breach was reported to the Maine Attorney General as affecting 8,923,662 individuals, which makes it the largest healthcare data breach to be reported so far this year and one of the largest healthcare data breaches of all time. MCNA Dental has issued notification letters on behalf of 112 insurance providers. Florida Healthy Kids Corporation and the Florida Agency for Health Care Administration were also affected.