One of North America’s largest Medicaid and CHIP dental care providers has suffered a massive data breach of highly sensitive patient information, thought to be perpetrated by the LockBit ransomware group.
The breach of Managed Care of North America (MCNA) Dental is extremely serious. The records included Social Security numbers, records of care, insurance claims, and other identifying numbers in connection with full personal contact information. MCNA says that it has reached out to all impacted parties, but that some cannot be reached as they do not have a current address on record.
MCNA refuses ransom for data breach, information has been released to the dark web
The data breach reportedly took place between February 6 and March 7, and a total of 700 GB of information was stolen. The LockBit ransomware group released the stolen data to the public in early April, after MCNA refused a ransom demand of $10 million, though there was no data breach notification posted to the public until May 26.
This means that impacted victims are looking at an incoming wave of identity theft, fraud and phishing attempts. MCNA has said that it will provide 12 months of free IDX credit monitoring to victims, but that it does not have up-to-date contact information for some of the impacted parties. A notice of the data breach has been published on the IDX website, but it is apparently only being made available for 90 days.
A total of 8,923,662 people are known to be impacted by the data breach. In addition to patients this could include parents, guarantors or guardians of persons enrolled in CHIP or Medicaid. At minimum victims should expect that their full name, address, phone number, email address and date of birth have been exposed. Some (unclear exactly how many) may have had Social Security numbers, driver’s license or government ID numbers, health insurance plan details, information about treatment visits, bills or insurance claim information exposed.
The LockBit ransomware group was first spotted in action in late 2019 and has since become one of the biggest threat actors of its type. It racked up the largest total victim count in 2022, and while other groups are surging in 2023 a number of security researchers report that it remains the most aggressive about ransom demands. The group is known for “big game” hunting, targeting well-funded companies like SpaceX, and does seem to have some limits as to how far it will go; when an Illinois school district was infected by a LockBit ransomware affiliate in April, the group apologized and provided a decryption key for free. This case makes clear that this magnanimity does not extend to patient medical records, however, even when many involve children and their families in the CHIP program.
Javvad Malik, Lead Security Awareness Advocate at KnowBe4, sees this as another reminder that ransomware defenses cannot be ignored: “It is unfortunate to see yet another data breach impacting millions of individuals. The information stolen in this breach is a treasure trove for criminals who can use it to conduct identity theft or social engineering attacks. This incident highlights the importance of investing in cybersecurity, especially identifying the root causes of ransomware attacks. Inevitably, these causes are linked to social engineering tactics such as phishing, unpatched software, poor authentication, and the lack of multi-factor authentication. Addressing these issues through effective employee training, system updates, and robust security controls can help prevent future data breaches. Organizations should prioritize cybersecurity and ensure that they implement the necessary measures to protect their customer data. As we can see from this attack, the cost of inaction is simply too high.”
LockBit ransomware group remains highly active
Though it may not be the absolute top dog in the game anymore, the LockBit ransomware gang is still highly active and one of the major threats, even as one of its leaders was recently arrested as he traveled from Russia to Canada. The group develops its own ransomware and tools, and in April began deploying a type of custom ransomware designed to infect Apple Macintosh desktop and laptop computers (something that is relatively rare in the ransomware world).
The health care industry has not traditionally been seen as one of the more lucrative targets out there, but even major groups like LockBit ransomware (and its affiliates) have been focusing in on it more over the past year or two. Patient care facilities generally do not have much in the way of cash on hand to pay off criminals, but they cannot afford even a short amount of downtime and the attackers are likely hoping for an insurance payoff. It’s also a dangerous game to play as it can put people’s lives at risk, with the two deaths to date attributed to ransomware both the result of someone in a critical or emergency state being unable to get timely care due to the attack.
Health care is also a convenient source of personal information all gathered neatly in one place, and organizations that experience a data breach have to seriously consider that the ransomware gang will keep the data and sell it later even if the ransom is paid. While the bigger ransomware gangs generally do provide decryption keys when paid, some have been caught peddling data that they claimed to delete. Assorted studies have also found that while it is not uncommon for victims to get some amount of their data back after making a payment, it is very rare for them to recover all of it. This stresses the importance of both regular and thorough backups to recover from, and the implementation of encryption at rest throughout systems for highly sensitive information of the type stolen in the MCNA data breach.
As James Graham, VP of RiskLens, observes: “Healthcare organizations must assume that persistent cyber attacks are the norm, and take steps to understand their risk exposure more accurately. It’s vital for them to know the types of cyber incidents most likely to impact them and what their likely losses could be, in financial terms. This is important not only for the entire organization, but also the safety and privacy of patients, whose personal data could be at risk of exposure. In order to do so, they must perform quantitative risk assessments that allow them to calculate their risk exposure in dollar terms, then allocate budgets and security solutions accordingly to boost their security and minimize costs.”