Cyber Incident Victim: Managed Care of North America
Date:
Feb 2023
Location:
United States of America
Summary
A ransomware attack on Managed Care of North America, the largest U.S. dental insurer for government Medicaid and Children's Health Insurance Programs, compromised personal and health data of nearly nine million individuals. The LockBit group infiltrated systems during a period of unauthorized access, exfiltrating 700 gigabytes of data including Social Security numbers, driver’s licenses, health insurance details, dental treatment records, x-rays, billing information, and data belonging to patients' parents or guardians. After the $10 million ransom demand was unmet, the threat actor publicly released the stolen files. The breach affected multiple government agencies and unions across states, prompting forensic investigations, law enforcement engagement, security enhancements, and a year of identity protection services for impacted individuals.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On February 26, 2023, unauthorized actors gained access to Managed Care of North America’s (MCNA) computer systems, initiating a ransomware attack against the largest U.S. dental insurer for government-sponsored Medicaid and Children’s Health Insurance Programs. MCNA’s IT team detected anomalous activity in their network on March 6, discovering that certain systems had been infected with malicious code. The breach persisted undetected for 10 days until March 7, during which threat actors exfiltrated approximately 700 gigabytes of sensitive data. The LockBit ransomware group publicly claimed responsibility for the attack on March 27, 2023, threatening to release stolen files unless a $10 million ransom was paid. MCNA declined payment, leading LockBit to publish the entirety of the exfiltrated data on April 6. A forensic investigation concluded on May 3 by a third-party cybersecurity firm confirmed the intrusion timeline and data theft scope, revealing that attackers had copied personal and health-related information during their network access period.
The incident compromised sensitive records of 8,923,662 individuals across multiple states, with stolen data including full names, Social Security numbers, driver’s licenses, government IDs, dates of birth, contact information, and comprehensive health insurance details. Exposed dental records contained treatment histories, X-rays, photographs, medication information, billing records, and provider details about dentists and orthodontists. A subset of compromised data belonged to parents, guardians, or guarantors responsible for patient accounts. MCNA initiated breach notifications through mailed letters and a HIPAA-compliant substitute website notice on May 26, 2023, acknowledging involvement of information from over 100 client organizations spanning government health agencies, school districts, unions, and insurance plans. Victim organizations included federal programs across eight states such as Florida Healthy Kids Corporation, Texas Health and Human Services Commission, and Arkansas Department of Human Services, alongside unions representing teachers, law enforcement personnel, and healthcare workers. MCNA immediately engaged law enforcement, retained forensic specialists, implemented network security enhancements, and provided complementary 12-month identity protection services to affected individuals through a dedicated enrollment portal and toll-free support line at 1-888-220-5006.