MCNA, a US-based dental and oral health insurance provider, has reported that almost 9 million individuals were impacted in a recent data breach. The incident took place on March 6, 2023, when an unauthorized party managed to access certain MCNA systems. The company took immediate remedial steps to contain the threat, and sought the assistance of a third-party forensic firm to investigate the matter. An inquiry found that some network systems had been infected with malicious code, and that the unauthorized party was able to access certain systems and remove copies of personal information between February 26 and March 7, 2023. In a notification to individuals potentially affected by the breach, MCNA stated that their personal data “may have been involved” in the attack.
The LockBit ransomware group claimed responsibility for the cyber attack, apparently demanding a ransom of $10 million and giving April 6 as the deadline for payment. The group had apparently managed to pilfer a significant amount of sensitive data from MCNA between February 26 and March 7, including information such as first and last names, addresses, dates of birth, phone numbers, emails, social security numbers, driver’s license numbers, government issued ID numbers, health insurance numbers, Medicaid ID numbers, dental health information, X-rays, medicines, and treatment data, bills and insurance claims, and parent, guardian, or guarantor information. The group demanded $1,000 to extend the deadline for leaking the stolen data by 24 hours, and $9,999,999 to destroy all the breached data.
On April 7, 2023, LockBit leaked the exfiltrated data from MCNA. The ransomware group had over 700 GB of sensitive information from the company’s data breach. Following the incident, MCNA has begun to inform all affected individuals, which amounts to 8,923,662. The company has offered free identity theft protection services to impacted users, and recommends that they regularly check their credit scores, review all financial statements carefully, remain vigilant of suspicious activities on their accounts, and report any illicit activity to concerned authorities.
It is suggested that users do not open emails or click on links, even if they appear urgent, as these may often be fraudulent. MCNA has also advised against providing any bank account information via online forms or communications. Users should also be vigilant in checking official communications from MCNA, and avoid inputting sensitive bank data in communication forms. The company has also offered a free annual identity theft protection service that affected individuals may sign up for to avail this service. Despite this, so far, there have been no reported cases of misuse of personal information from the MCNA data breach, as MCNA stated in their notification that they were unaware of any attempted misuse of provider information as a result of this incident.