A US government-sponsored provider of dental healthcare is warning nearly 9 million clients that their sensitive and private personal and medical data was exposed in a LockBit ransomware attack that occurred earlier this year.

Managed Care of North America (MCNA) Dental — which works with various Medicaid agencies, the Children's Health Insurance Programs, corporations, and insurance plans — put out a notice on May 26, before the Memorial Day weekend, that a cyberattack that occurred between Feb. 26 and March 7 successfully lifted sensitive data from its computer systems.

The breach affected more than 8.9 million clients of MCNA, according to a data breach notification filed with the Maine Attorney General. The Atlanta-based healthcare organization is one of the country's largest providers of government-sponsored dental care and oral health in the US.

"On March 6, 2023, MCNA became aware of certain activity in our computer system that happened without our permission," the company said in the post on its website. "We quickly took steps to stop that activity."

Those steps were not quick enough to stop LockBit ransomware — which took responsibility for the attack — to make good on a threat to leak 700GB of data stolen from MCNA's systems if the provider did not pay $10 million in ransom. On April 7, the group released all of the data on its website for anyone to download, according to reports.

Dental Leak Included Sensitive Data

Included in that stolen data was a slew of personally identifiable information (PII) about MCNA clients — which may in some cases be for a parent, guardian, or guarantor of someone receiving service through the agency, the company said. This data included patient names, addresses, dates of birth, phone numbers, email addresses, Social Security numbers, and driver's licenses or other government-issued ID numbers, according to MCNA.

Data leaked in the attack also included details about clients' health insurance — including plan information, insurance company, member number, Medicaid-Medicare ID numbers, and what type of care they received from their provider. Attackers also stole bill and insurance claim info in the breach, according to MCNA.

"We are sorry for any concern this event may cause," the company said in the notice, adding that it will mail letters separately to people whose information "may have been involved" in the breach. The notice will remain active for 90 days to inform clients whose addresses that MCNA does not have and thus cannot be informed through the mail, it added.

MCNA also is offering clients affected by the breach an identity theft protection service for one year, and encouraged people to contact them via a toll-free number with any questions or concerns.

LockBit Strikes Again

LockBit, a ransomware-for-hire group that emerged as early as September 2019, is one of the more prolific ransomware gangs currently active on the scene. The group has made a name for itself by targeting high-profile victims — such as SpaceX and security giant Entrust — with its style of double-extortion ransomware, using auto-propagating malware and double-encryption methods that show a level of sophistication.

LockBit may have suffered a setback when one of its alleged leaders, dual Russian-Canadian citizen Mikhail Vasiliev, was arrested in Ontario, Canada, in November, but it hasn't stopped the gang from launching a slew of attacks since then, leaking data from its victims along the way.

While the advice security experts traditionally gave to organizations that are victims of ransomware was not to pay attackers, double-extortion attacks that result in data leaks that can harm both companies and their clients in the long run have changed the rules of the game. Some experts now advise considering various factors before deciding whether or not to pay a ransom, and that in some cases it might benefit them more in the long run to give in to attackers' demands.

Organizations can protect themselves against ransomware attacks by shoring up their overall security defense posture in myriad ways, including implementing secure passwords and multifactor authentication (MFA), so systems aren't breached in the first place. They should also put up strong controls to defend against phishing attacks, as attackers often use credentials stolen in this way to gain initial access to a network to deploy ransomware, experts said.