8.9 million people impacted by MCNA Dental data breach after ransomware attack

On Friday 26th of May 2023, one of the largest government-sponsored (Medicaid and CHIP) dental care and oral health insurance providers in the U.S., Managed Care of North America (MCNA) Dental released a data breach notification, disclosing almost 9 million patients had their personal data were compromised.

MCNA announced in the notice that it had become aware of unauthorized access to its computer systems on Monday 6th of March 2023, with an investigation revealing that the threat actors first gained access to MCNA’s network on Sunday 26th of February 2023. The investigation revealed that the threat actors had stolen data that contained the following information for almost nine million patients:

• Full name
• Address
• Date of birth
• Phone number
• Email
• Social Security number
• Driver’s license number
• Government-issued ID number
• Health insurance (plan information, insurance company, member number, Medicaid-Medicare ID numbers)
• Care for teeth or braces (visits, dentist name, doctor name, past care, x-rays/photos, medicines, and treatment)
• Bills and insurance claims

MCNA has stated that it has taken all the appropriate steps to resolve the situation and enhance the security of its systems to prevent similar incidents from occurring in the future. It has also contacted law enforcement authorities to help prevent the misuse of the stolen information. Additionally, MCNA has offered 12 months of free identity theft protection and credit monitoring service.

The ransomware group responsible for the attack was the LockBit ransomware gang who claimed the cyberattack on MCNA on Tuesday 7th of March 2023. LockBit had threatened to publish 700GB of the files that they allegedly exfiltrated unless MCNA paid the $10 million ransom demand. However, on Friday 7th of April 2023, LockBit released all data on its website, making it available for download by anyone.