Managed Care of North America (MCNA) Dental has published a data breach notification on its website, informing almost 9 million patients that their personal data were compromised.
MCNA Dental is one of the largest government-sponsored (Medicaid and CHIP) dental care and oral health insurance providers in the U.S.
In a notice published Friday, MCNA says it became aware of unauthorized access to its computer systems on March 6th, 2023, with an investigation revealing that the hackers first gained access to MCNA’s network on February 26th, 2023.
During that time, the hackers stole data that contained the following information for almost nine million patients.
- Full name
- Date of birth
- Phone number
- Social Security number
- Driver’s license number
- Government-issued ID number
- Health insurance (plan information, insurance company, member number, Medicaid-Medicare ID numbers)
- Care for teeth or braces (visits, dentist name, doctor name, past care, x-rays/photos, medicines, and treatment)
- Bills and insurance claims
The notification filed with the Office of the Maine Attorney General says the breach impacted 8,923,662 people, including patients, parents, guardians, or guarantors.
MCNA says it has taken all the appropriate steps to remediate the situation and enhance the security of its systems to prevent similar incidents from occurring in the future. It has also contacted law enforcement authorities to help prevent the misuse of the stolen information.
Additionally, the notices sent to impacted individuals enclose instructions on receiving 12 months of free identity theft protection and credit monitoring service through IDX.
However, not every impacted individual will receive a notice as MCNA does not have current addresses for everyone; hence the organization published a substitute notice on IDX, which will stay online for 90 days.
On that notice, people may also find the extensive list of over a hundred healthcare providers indirectly impacted by this incident. However, it is unclear if those entities will publish separate notices of the breach.
LockBit claimed the attack
The LockBit ransomware gang claimed the cyberattack on MCNA on March 7th, 2023, when the group published the first data samples stolen from the healthcare provider.
LockBit threatened to publish 700GB of sensitive, confidential information they allegedly exfiltrated from MCNA’s networks unless they were paid $10 million.
On April 7th, 2023, LockBit released all data on its website, making it available for download by anyone.
As the data is likely in the hands of other threat actors, all impacted users must monitor their credit reports for fraudulent activity and signs of identity theft.
Furthermore, users should be careful of targeted phishing emails that use the leaked data to trick recipients into revealing further sensitive information, such as credentials.