Nearly 9 million patients of Managed Care of North America (MCNA) Dental had their personal data stolen by ransomware gang LockBit.
In a notification published on its website, MCNA Dental said it became aware of unauthorized activity on its computer system on March 6, 2023, and later learned that hackers had been stealing private patient information from Feb. 26, 2023 to March 7, 2023.
As Bleeping Computer notes, the health provider is the largest dental insurer in the US for state-sponsored Medicaid and CHIP programs, and has been in operation for over 25 years.
Stolen information includes the first and last name, address, date of birth, phone number and email of its patients, as well as government information like Social Security and driver's license numbers. Maine's attorney general posted a full list detailing what information was stolen.
The LockBit ransomware group took responsibility for the hack on March 7, 2023, when they threatened to publish 700GB of the private data unless they were paid $10 million. It appears the threat was true, as on April 7, LockBit released all the data on its website.
In a filing with Maine's AG, MCNA Dental says the breach affected 8,923,662 people (though only 101 are Maine residents). The notice on MCNA's website also mentions Arkansas, Florida, Idaho, Kentucky, New York, and a variety of other organizations, so the impact is widespread.
In its notification, MCNA offers to pay for the yearly cost of an identity theft protection service for affected customers. It will also keep the data theft notice live on its website for “at least 90 days” as it does not have the current postal addresses for all affected customers. Anyone affected by the data breach is advised to check their bills and accounts to ensure they look correct.
LockBit, meanwhile, is a rather prolific ransomware gang. Most recently, security researchers discovered a new version of the LockBit ransomware that targets Apple's Mac computers for the first time. But they've also targeted a SpaceX supplier, and launched a bug bounty program designed to reward anyone who submits details on previously unknown website vulnerabilities to the group.
