The records of nearly 9 million people have been published online following a LockBit ransomware attack on Managed Care of North America Inc.

The company, also known as MCNA Dental, is a leading provider of dental plans in the U.S., serving private employers, individuals and families through a range of Medicare, long-term and commercial plans. MCNA is also the largest dental insurer for government-sponsored Medicaid and Children’s Health Insurance Program programs.

The breach was first disclosed in a filing May 26 with the Office of the Maine Attorney General. The breach occurred between Feb. 26 and March 7, with the breach discovered on May 3 according to the filing, although a separate notice of data breach the same day claims that it was discovered on March 6.

The breach notice ticks the typical boxes: MCNA hired a third-party forensics team, in this case, ZeroFox Inc.-owned IDX. It discovered that “a criminal was able to see and take copies of some information in our computer system.”

Information stolen included names, addresses, dates of birth, phone numbers, emails, Social Security numbers, driver’s licenses and other government-issued ID numbers. Also stolen were health insurance details, dental care records and information relating to billing and insurance.

The LockBit ransomware gang claimed responsibility for the attack on March 7, saying it would publish 700 gigabytes of stolen data unless a $10 million ransom were paid. MCNA did not pay the ransom, so the data was published by LockBit on April 7.

The difference between LockBit having the data and publishing it versus when MCNA published its breach notice raises several questions about liability and responsibility. The company sat on the information without warning its patients until well over a month after the data had been released by LockBit, giving threat actors ample opportunity to target those affected.

“The compromise of such data through a ransomware attack poses significant risks to both patients and the organization itself,” Erfan Shadabi, cybersecurity expert with data security specialists comforte AG, told SiliconANGLE. “The compromised data, for instance, can be leveraged for social engineering attacks, potentially leading to further breaches in other domains.”

James Graham, vice president of cyber risk management firm RiskLens Inc., warned that healthcare organizations must assume that persistent cyberattacks are the norm and take steps to understand their risk exposure more accurately.

“It’s vital for them to know the types of cyber incidents most likely to impact them and what their likely losses could be, in financial terms,” Graham said. “This is important not only for the entire organization but also the safety and privacy of patients, whose personal data could be at risk of exposure.”

Image: MCNA