Managed Care of North America, one of the largest dental care service providers in the United States, has admitted that the LockBit cyberattack the threat actors disclosed in early March 2023 has impacted almost 9 million people.
The healthcare organization posted a notice of a breach on its website and shared a sample with the authorities, estimating the number of impacted individuals to be 8,923,662.
In the notice sent to affected patients on May 26, 2023, MCNA informs that hackers infiltrated its network on February 26, 2023, and maintained access until March 7, 2023, a day after the company discovered the intrusion.
“On March 6, 2023, MCNA became aware that an unauthorized party was able to access certain MCNA systems. Upon discovery the same day, MCNA took immediate steps to contain the threat and engaged a third-party forensic firm to investigate the incident and assist with remediation efforts.”
“MCNA subsequently discovered that certain systems within the network may have been infected with malicious code. Through its investigation, MCNA determined that an unauthorized third party was able to access certain systems and remove copies of some personal information between February 26, 2023 and March 7, 2023.”
-MCNA
The data that has been compromised as a result of this security incident include the following:
- Demographic information to identify and contact you, such as full name, date of birth, address, telephone and email;
- Social Security number;
- Driver’s license number or government-issued identification number;
- Health insurance information, such as name of plan/insurer/government payor, member/Medicaid/Medicare ID number, plan and/or group number;
- Information regarding dental/orthodontic care
A separate notice posted on the IDX site, which is the vendor of identity protection services provided free of charge to impacted individuals, lists 112 healthcare service providers who are insurance contractors of MCNA and hence might also be breached. If you have received services from the listed entities, it is recommended to reach out to them and learn about how this incident impacts you specifically.
LockBit demanded a ransom payment of $9,999,999 from the victimized organization on March 7, 2023, threatening to publish 700 GB of sensitive data on its extortion site.
RestorePrivacy.com
On April 7, 2023, after a month had elapsed, the hackers materialized their threat and made all data available for download. This move increased the risk of malicious exploitation of this data by cybercriminals, who could now use the data to target millions of people with phishing or social engineering attacks.
Unfortunately, it took MCNA several weeks to conclude its investigation and inform impacted people, giving the threat actors a comfortable window of opportunity to launch attacks against exposed individuals.
Those affected by this incident need to exercise caution when dealing with unsolicited emails and text messages. It’s vital to approach all communications with a heightened level of vigilance, and maintain a healthy skepticism, even in the face of alerts related to this very breach. MCNA, IDX, or data protection authorities will not ask you to “confirm your identity” by supplying additional information, and neither is there a refund program relating to the latest incident.
BlackCat Ransomware Says It Snatched Millions of Medical Records
Sadly, in most cases it takes a long time until companies realize they have been victims of a leak. Once again, thank you so much Heinrich for keeping us informed.