Security News > 2023 > May > Criminals spent 10 days in US dental insurer's systems extracting data of 9 million

Criminals spent 10 days in US dental insurer's systems extracting data of 9 million
2023-05-31 17:32

The criminals who hit one of the biggest government-backed dental care and insurance providers in the US earlier this year hung about for 10 days while they extracted info on nearly 9 million people, including kids from poverty-stricken homes.

This included a huge range of data, from patients' full names, dates of birth, addresses, telephone numbers, and email addresses to their Social Security numbers, driver's license numbers or government ID numbers, and health insurance information, and in some cases even included dental X-rays.

According to the notice, the attack was discovered on March 6, a day before it was apparently contained, with MCNA subsequently discovering that certain systems in the network "May have been infected with malicious code."

Yes, that's the same gang that, back in January this year, "Formally apologized" for breaking into the systems of Canada's largest children's hospital, SickKids, blaming a since-ditched affiliate group for an extortion attack and offering a free decryptor for the victim to recover the files.

Those with children whose data was taken in the haul were offered advice in the breach notice on how they could "Check to see if someone has created a credit file using my child's information." The company noted that leaked info also included medicine taken, and which doctor the patient visited, along with billing info that could be meant for a "Parent, guardian, or guarantor".

Along with an apology, MCNA offered affected individuals 12 months of credit monitoring with identity theft protection service IDX, which some would consider to be on the low side considering the amount of personally identifiable information about customers of MCNA clients that was leaked, as well as advice on how to "Check your bills and accounts to be sure they look correct." The affected individuals only have until a certain date to activate the credit monitoring, a field left blank on the form letter the group sent to affected patients.


News URL

https://go.theregister.com/feed/www.theregister.com/2023/05/31/mcna_breach/