MCNA Dental—which calls itself the largest U.S. dental insurer for Medicaid and Children’s Health Insurance Program plans—has been hit by a ransomware attack that exposed the data of nearly 9 million people.
MCNA posted a notice of the breach last week.
The insurer said it became aware of the activity in its computer system on March 6. MCNA said data was exposed and copied between Feb. 26 and March 7.
A filing with the Maine Attorney General’s office indicated that 8,923,662 people were affected.
The Exposed Information
MCNA noted that the following types of information were exposed in the breach:
- Contact information (first and last names, addresses, dates of birth, phone numbers, email addresses)
- Social Security numbers
- Driver’s license numbers/government IDs
- Health insurance (plans, companies, member numbers, Medicaid-Medicare IDs)
- Care visits (dates, dentist/doctor names, past care, X-rays, medicines, treatment courses)
- Bills and insurance claims
Those exposed weren’t just patients. Information on parents, guardians, and guarantors was also compromised.
MCNA said it completed its review of the attack on May 3 but didn’t provide additional details, other than noting the assistance of law enforcement. TechCrunch reported that the notorious LockBit ransomware group claimed responsibility for the attack, saying it published all the files it grabbed after MCNA refused a $10 million ransomware demand.
LockBit, which has been linked to Russia, has hit several high-profile victims, including the UK’s Royal Mail, financial software company Ion Group, and the California Department of Finance.
The Scourge of Ransomware
Ransomware—the infiltrating of computer systems to block access by the rightful owner until money is paid—continues to be a leading concern for U.S. law enforcement, governments, financial institutions, and other businesses, not to mention individuals.
According to an IBM report, data breaches of all sorts are especially costly to the healthcare industry, costing an average of $10.1 million per incident.
The presence of ransomware, in particular, has given rise to an entire industry built on negotiating with attackers. A November 2022 Javelin Strategy & Research report, Ransomware Negotiation Market Landscape 2022, assessed vendors in that market and provided advice on how to choose the negotiation provider that best meets a breached organization’s needs.
Not every ransomware attack ends with the transfer of money—MCNA’s apparently didn’t—which makes it all the more essential that a compromised company chooses wisely when confronted with an attack.
TechCrunch, which looked at the LockBit leak site on the dark web, said the ransomware gang made off with 700 gigabytes of data from the dental insurer.
“Assuming it is true that the compromised data has now been released on the dark web, I think this case perfectly underscores the perils of ransomware in so far as it illustrates the unfortunate Catch-22 that victims are in once criminals successfully penetrate their systems and gain access to sensitive data,” said Kevin Libby, an analyst in the Javelin Fraud & Security practice. “On the one hand, businesses do not want to negotiate with ransom-seekers for fear of emboldening them and encouraging future attacks or setting off an ever-escalating, unsatisfiable set of demands wherein the stolen data will eventually be released anyway. On the other hand, a business’ reputation, and the identities of consumers whose information has been exposed, are in some sense always more valuable than the ransom requested and need to be protected.”
“Unfortunately, by the time a criminal has obtained sensitive information, it’s most often too late,” he said. “The opportunity to protect consumer data is before hackers gain access to the systems in which it is stored. Once those systems are breached, it is very hard to put the proverbial genie back into the bottle.”
How Individuals Can Protect Themselves
MCNA’s notice of the data breach included an offer of a one-year subscription to an identity theft protection service (IDPS) for affected customers.
When personal data is compromised by an attack on a third party, like an insurer, an IDPS can be an effective hedge against the illicit use of that information once it’s out in the open. Javelin’s cybersecurity and fraud analysts have consistently recommended that financial institutions make such services more widely available to their customers, along with stronger overall cybersecurity education. (For related reading, see the following reports: More Cyber Lessons for Digital Bankers: It’s All About Trust, Reality Bytes: Empowering Consumers Through Fraud and Scams Education, and the latest installment of Javelin’s landmark identity fraud study, Identity Fraud: The Butterfly Effect.)
“Perhaps the best thing that a consumer can do after an event like this is to take a defensive posture and do what they can: ensure that as many personal accounts as possible utilize user IDs that are not tied to their name or Social Security number, request ongoing account change notifications and turn on multifactor authentication at every merchant and financial institution that offers those security features, change passwords, lock their credit with all three credit bureaus, and consider signing up for an identity protection service that monitors new account openings and PII exposure on the dark web,” Libby said.