Managed Care of North America (MCNA) Dental posted a data breach notification on its website, notifying nearly 9 million patients that their personal data has been compromised.

MCNA Dental is one of the largest providers of government-sponsored (Medicaid and CHIP) dental and oral health insurance in the United States.

In a notice released Friday, MCNA said it became aware of unauthorized access to its computer systems on March 6, 2023, with an investigation finding that hackers first gained access to MCNA’s network on February 26, 2023.

Meanwhile, hackers have stolen data containing the following information for nearly nine million patients.

• Full name
• Address
• Date of birth
• Phone number
• E-mail
• Social Security number
• Driver’s license number
• Government issued identification number
• Health insurance (plan information, insurance company, membership number, Medicaid-Medicare ID numbers)
• Teeth or braces care (visits, dentist’s name, doctor’s name, previous care, x-rays/photos, medications and treatment)
• Invoices and insurance claims

THE notification filed with the Maine Attorney General’s office says the breach affected 8,923,662 people, including patients, parents, guardians or guarantors.

MCNA says it has taken all appropriate steps to remedy the situation and strengthen the security of its systems to prevent similar incidents from happening in the future. He also contacted law enforcement authorities to help prevent misuse of the stolen information.

Additionally, the notices sent to affected individuals contain instructions to receive 12 months of free identity theft protection and credit monitoring service through IDX.

However, not everyone affected will receive notice, as MCNA does not have a current address for everyone; this is why the organization has published a replacement notice on IDXwhich will remain online for 90 days.

On this notice, people can also find the long list of more than a hundred health care providers indirectly affected by this incident. However, it is unclear whether these entities will issue separate notices of infringement.

LockBit claimed responsibility for the attack

The LockBit ransomware gang claimed responsibility for the cyberattack against MCNA on March 7, 2023, when the group released the first samples of data stolen from the healthcare provider.

LockBit threatened to release 700 GB of sensitive and confidential information they allegedly exfiltrated from MCNA’s networks unless they were paid $10 million.

On April 7, 2023, LockBit released all the data on its website, making it available for anyone to download.

Since the data is likely in the hands of other threat actors, all affected users should monitor their credit reports for fraudulent activity and signs of identity theft.

Additionally, users should beware of targeted phishing emails that use leaked data to trick recipients into revealing other sensitive information, such as credentials.