Managed Care of North America (MCNA) Dental has reported one of the largest ever breaches of protected health information to the Maine Attorney General. MCNA is the largest dental insurer in the United States for government-sponsored health plans for children and seniors.
MCNA said it discovered suspicious activity within its IT systems on March 6, 2023, and launched an investigation to identify the source of the activity after securing its systems to prevent further unauthorized access. The forensic investigation confirmed that a hacker had gained access to its systems on February 26, 2023, and remained in its systems until March 7, 2023. During that timeframe, the threat actor had access to sensitive client information and exfiltrated copies of that information from MCNA’s systems. MCNA has not confirmed exactly how many individuals have had their information stolen, but the records of 8,923,662 individuals were stored on the compromised systems.
The exposed information included names, addresses, dates of birth, phone numbers, email addresses, Social Security numbers, driver’s license numbers, other government-issued ID numbers, health insurance information, including plan information and Medicaid ID numbers, and billing and claims information. Some of that information related to parents and legal guardians of children and guarantors.
The delay in issuing notifications was due to the amount of data that had to be reviewed, a process that took around 2 months from the discovery of the data breach. MCNA did not provide detailed information about the nature of the hacking incident; however, the LockBit ransomware gang claimed responsibility for the attack and added MCNA to its dark web data leak site along with samples of the stolen information, some of which included the types of sensitive information listed above. The LockBit gang claimed to have stolen 700 gigabytes of data in the attack and issued a ransom demand of $10 million, and then proceeded to publish the stolen data when MCNA refused to pay.
While this is the largest healthcare data breach to be reported this year, other massive data breaches have also been announced, including a hacking incident and data breach at the pharmacy service provider, PharMerica, which affected almost 6 million patients, a breach at the healthcare management solution provider, NationsBenefits Holdings, LLC, which affected more than 3 million individuals, and a ransomware attack on the Point32Health-owned health service provider, Harvard Pilgrim Health Care, which affected more than 2.5 million individuals.