Criminals spent 10 days in US dental insurer's systems extracting data of 9 million

LockBit gang claimed 'trophy' of spilling low income families' details. Their parents must be proud

The criminals who hit one of the biggest government-backed dental care and insurance providers in the US earlier this year hung about for 10 days while they extracted info on nearly 9 million people, including kids from poverty-stricken homes.

Managed Care of North America (MCNA) bills itself as "providing high quality services to state agencies and managed care organizations for their Medicaid, Children's Health Insurance Program (CHIP), and Medicare members." Medicaid and CHIP provide "free or low-cost" health coverage to some low-income people, families and children, pregnant women, the elderly, and people with disabilities.

According to the breach notice, available on the group's website, and also in a filing with the attorney general for the state of Maine, the attackers broke into MCNA's servers on February 26 and were able to access "certain systems" and "remove copies of some personal information" between then and March 7. This included a huge range of data, from patients' full names, dates of birth, addresses, telephone numbers, and email addresses to their Social Security numbers, driver's license numbers or government ID numbers, and health insurance information, and in some cases even included dental X-rays. The company claimed "not all data elements were involved for all individuals."

According to the notice, the attack was discovered on March 6, a day before it was apparently contained, with MCNA subsequently discovering that certain systems in the network "may have been infected with malicious code."

The LockBit ransomware gang claimed "credit" for the attack and published data, including, presumably, the children's information, back in March, to its own dark web blog site – seemingly after ransom demands were not met. Yes, that's the same gang that, back in January this year, "formally apologized" for breaking into the systems of Canada's largest children's hospital, SickKids, blaming a since-ditched affiliate group for an extortion attack and offering a free decryptor for the victim to recover the files. Traditionally the gang publishes information to their site when they have difficulty getting a ransom from a mark. Sometimes it can be like pulling teeth, right guys? Screenshots of the gang's website, which we won't reproduce here, reflect this.

It was speculated by some in the security community at the time of the SickKids attack in January that the way the gang tried to distance itself was primarily about its recruiting efforts (lest anyone think it was a genuine ethical flag in the ground). Essentially, the argument went, the LockBit overlords didn't want to turn the stomachs of more talented malware scribes who wished to make some scratch joining their crew.

Those with children whose data was taken in the haul were offered advice in the breach notice on how they could "check to see if someone has created a credit file using my child's information." The company noted that leaked info also included medicine taken, and which doctor the patient visited, along with billing info that could be meant for a "parent, guardian, or guarantor" (person who paid the bill).

Along with an apology, MCNA offered affected individuals 12 months of credit monitoring with identity theft protection service IDX, which some would consider to be on the low side considering the amount of personally identifiable information about customers of MCNA clients that was leaked, as well as advice on how to "check your bills and accounts to be sure they look correct." The affected individuals only have until a certain date to activate the credit monitoring, a field left blank on the form letter the group sent to affected patients. We've asked it for more info.

It added:

Because we may not have addresses for everyone, we are posting this substitute notice on this website, as allowed by the Health Insurance Portability and Accountability Act (HIPAA). This substitute notice will remain active for at least 90 days.

The company said it had "taken steps to mitigate and remediate the incident and to help prevent further unauthorized activity" as well as "enhanced our security controls and monitoring practices as appropriate, to minimize the risk of any similar incident in the future." It didn't say which security pros were in charge of this work. We've asked the corp for comment. ®

More about


Send us news

Other stories you might like