Cyber Incident Victim: Delta Dental Plans Association
Date:
Nov 2020
Location:
United States of America
Summary
Delta Dental Plans Association experienced a ransomware attack by the Egregor threat actor group, resulting in unauthorized access to sensitive data that was subsequently published on a dedicated leak site. The incident involved exposure of protected health information, though specific details regarding the scope or types of compromised data were not publicly disclosed by the organization. Despite inquiries from cybersecurity researchers, the entity did not issue a public response or confirmation regarding the breach at the time of reporting. The attack formed part of a broader pattern of ransomware campaigns targeting healthcare-sector entities, with threat actors leveraging stolen data to pressure victims into paying ransoms.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Delta Dental Plans Association (DDPA), based in Oak Brook, Illinois, was listed on the Egregor ransomware group’s dedicated leak site in mid-November 2020 following a cyberattack. Egregor threat actors, known for targeting multiple sectors including healthcare, publicly named DDPA as a victim and threatened to release stolen data unless ransom demands were met. The incident occurred amid a surge in ransomware attacks against healthcare entities in 2020, with Egregor emerging as an active threat group during this period. DataBreaches.net attempted to contact DDPA for confirmation or additional details regarding the breach but received no response to multiple inquiries. The public listing on Egregor’s leak site indicated that attackers had exfiltrated data, though the specific scope of compromised records (e.g., patient data, employee information, or operational files) was not disclosed in available reports. No immediate statement or acknowledgment was issued by DDPA at the time of the leak site posting, leaving stakeholders uncertain about the breach’s validity or severity.
The public exposure on Egregor’s platform represented a reputational and operational risk for DDPA, given the potential for sensitive information to be disseminated. Unlike some contemporaneous victims like Galstan & Ward Family and Cosmetic Dentistry or Golden Gate Regional Center—which promptly notified regulators and affected individuals—DDPA did not issue public communications or file a breach report with the U.S. Department of Health and Human Services (HHS) during the observable timeline covered in reports. The absence of HHS breach tool entries or patient notifications suggested either ongoing internal investigations, legal deliberations, or possible dispute of the attackers’ claims. Egregor’s broader pattern of attacks included instances where dumped data contained payroll details, patient records, or proprietary business documents, but no confirmed specifics about DDPA’s exfiltrated data were verified. The incident remained unresolved in public reporting channels by the conclusion of the article’s coverage period, with no further updates on containment actions, forensic findings, or regulatory disclosures from the organization.