A cybersecurity attack has hit dental benefits management company MCNA Dental, possibly exposing the sensitive data, including Social Security numbers, of nearly 9 million patients, according to a notice published on May 26 on behalf of the company.
News of the attack comes on the heels of security breaches at dental service organizations (DSOs) Great Expressions Dental Centers, which has more than 300 affiliated practices, and Aspen Dental, which has about 1,100 practices throughout the U.S.
MCNA, which is one of the largest benefits providers for government-sponsored dental programs in the U.S., first became aware of the hack on March 6 and immediately began investigating the situation and hired a special team to assist, according to the published notice. It learned that a criminal viewed and copied some information from MCNA’s computer system between February 26 and March 7, according to the announcement.
Hackers may have seen or taken the following information:
- Names
- Addresses
- Birth dates
- Phone numbers and emails
- Social Security numbers
- Driver’s license and government-issued ID numbers
- Health insurance information, including Medicaid-Medicare numbers
- Treatment data, including visit information, dentist names, x-rays, photos, and medications
- Bills and insurance claims data
- Guarantor data
“Information which was seen and taken was not the same for everyone,” the company’s announcement stated.
Ransomware gang LockBit has claimed responsibility for the MCNA breach, according to an article published on May 30 on tech.co.
The gang allegedly released 700GB of stolen data on its website after the dental benefits provider failed to pay the $10 million ransom demand, according to the story.
MCNA, along with Healthplex, the New York-based dental insurance company that the dental benefits firm acquired in 2019, serve 8.9 million Medicaid and Children’s Health Insurance Program patients in Texas, Florida, Iowa, Idaho, Louisiana, Nebraska, Arkansas, Utah, New York, and the Northeast.
More than 100 groups that do business with MCNA were affected by the hack, including Aetna Better Health of New York, the Florida Agency for Health Care Administration, the Idaho Department of Health and Welfare, the Metropolitan Transit Authority, the United Federation of Teachers, and the Texas Health and Human Services Commission, according to the announcement.
To prevent a similar problem in the future, MCNA said it is improving the security of its computer systems.
On May 17, Great Expressions Dental Centers announced that it was struck by a cybersecurity incident that disrupted its information technology systems and exposed some personal patient data. An unauthorized party accessed the DSO’s systems during a six-day period in February 2023.
In April, TAG - The Aspen Group, the parent company of Aspen Dental, was struck by a cybersecurity attack that temporarily impacted its ability to access its scheduling system, phone, and other business applications.