LockBit Ransomware Gang Steals Data From 8.9M Dental Insurance Customers

pcmag.com:

Nearly 9 million patients of Managed Care of North America (MCNA) Dental had their personal data stolen by ransomware gang LockBit.

In a notification(Opens in a new window) published on its website, MCNA Dental said it became aware of unauthorized activity on its computer system on March 6, 2023, and later learned that hackers had been stealing private patient information from Feb. 26, 2023 to March 7, 2023.

As Bleeping Computer notes(Opens in a new window), the health provider is the largest dental insurer in the US for state-sponsored Medicaid and CHIP programs, and has been in operation for over 25 years.

Stolen information includes the first and last name, address, date of birth, phone number and email of its patients, as well as government information like Social Security and driver's license numbers. Maine's attorney general posted a full list(Opens in a new window) detailing what information was stolen.

The LockBit ransomware group took responsibility for the hack on March 7, 2023, when they threatened to publish 700GB of the private data unless they were paid $10 million. It appears the threat was true, as on April 7, LockBit released all the data on its website. 

In a filing(Opens in a new window) with Maine's AG, MCNA Dental says the breach affected 8,923,662 people (though only 101 are Maine residents). The notice on MCNA's website also mentions Arkansas, Florida, Idaho, Kentucky, New York, and a variety of other organizations, so the impact is widespread.

In its notification, MCNA offers to pay for(Opens in a new window) the yearly cost of an identity theft protection service for affected customers. It will also keep the data theft notice live on its website for “at least 90 days” as it does not have the