Hackers Stole User Data From 8.9 Million Dental Patients

A cyberattack on MCNA Dental has left data from nearly nine million patient accounts in the hands of a hacking group.

MCNA says it first became aware of the hack in March, but that hackers had gained access as early as February. The company is one of the biggest government-sponsored dental and oral health insurers in the US.

It’s another example of the too-frequent data breaches that our tech and business structures seem to be poorly equipped to combat.

What Data Was Lost?

MCNA’s announcement clarifies the timeline of the breach: The company became aware of unauthorized access on March 6, 2023, and after an investigatation they realized that the hackers first broke in to the computer system on February 26.

Here’s the kind of information that was leaked, from the company’s public notice:

• Information used to contact you, like first and last name, address, date of birth, phone number, email
  Social Security number
• Driver’s license number/other government-issued ID number
• Health insurance (plan information, insurance company, member number, Medicaid-Medicare ID numbers)
• Care for teeth or braces (visits, dentist name, doctor name, past care, x-rays/photos, medicines, and treatment)
• Bills and insurance claims

Those impacted included 8,923,662 people in total, according to a filing of the incident with the Office of the Maine Attorney General as covered by Beeping Computer. The number covers parents, guardians, or guarantors of patients as well as patients themselves.

The Ransomware Gang Claiming Credit: LockBit

Ransomware group LockBit says that it is responsible for the breach. They demanded a ransom of $10 million which went unpaid, and so they’ve released 700GB of confidential information on their website, as of April 7.

Victims of the breach have a few options. First, they should all monitor their credit reports, checking for indications of identity theft. Second, they need to be wary of phishing emails or calls, since their exposed data could be used to trick them into further financial loss.

Some Companies Keep Quiet About Breaches

MCNA published its data breach acknowledgment on the Friday before Memorial Day weekend. Still, it could be worse: We might not have heard about this new data breach at all. According to one study, 29.9% of IT professionals have covered up data breaches at their company. Even more (42%) have faced pressure from their supervisors to do so.

Last year, a whistleblower at Twitter alleged the company had hidden data breaches from it’s own board, an indication that in some cases, even executives running a business that covers up data breaches won’t know that they’re being covered up.

It’s been a bad month for data breaches in healthcare: Last week, US company Apria Healthcare revealed to almost 1.9 million customers that their data may be been exposed in incidents that happened way back in 2019 and 2021. And on May 16, pharmaceutical giant PharMerica revealed a breach from March had impacted 5.8 million customers.