Cyber Incident Victim: Delta Dental Plans Association

On May 27, 2023, a cybersecurity incident impacted the systems of Delta Dental of California and its affiliates. The entity, a healthcare organization headquartered at 560 Mission St Ste 1300 in San Francisco, California, was the victim of an external system breach, which is characterized as hacking. The breach was not discovered until July 6, 2023, indicating a period of approximately six weeks between the initial compromise and the organization's awareness of the event. The attack resulted in the acquisition of a significant volume of sensitive personal information belonging to a large number of individuals.

The total number of persons affected by this breach was reported as 6,928,932. This figure includes individuals from across the United States, with only three identified as residents of the state of Maine. Due to the low number of affected Maine residents, which was well below the 1,000-person threshold, the consumer reporting agencies were not notified as part of the regulatory response specific to that state. The compromised data was highly sensitive, consisting of names or other personal identifiers in combination with financial account numbers or credit and debit card numbers. Critically, this financial information was acquired in combination with the corresponding security codes, access codes, passwords, or PINs for the accounts, significantly increasing the potential for fraud and misuse.

The response to the breach involved a formal notification process directed by outside counsel. The law firm Clark Hill PLC, with Senior Attorney Jason Schwent acting as the submitter of the breach information to authorities, managed the communication. The contact telephone number provided was 312-985-5939, and the email address was [email protected]. The entity elected to provide written notification to all affected consumers. The date for this consumer notification was set for December 14, 2023, a significant delay of over six months from the date the breach was discovered and nearly seven months from the date the breach originally occurred. This timeline indicates a prolonged period of investigation and assessment following the discovery of the incident.

As part of its response to mitigate potential harm to the affected individuals, Delta Dental of California and its affiliates offered identity theft protection services to those impacted by the breach. The offering of such services is a common remedial action intended to provide monitoring and assistance to consumers whose personal and financial data has been exposed. The specific details regarding the duration of these services, the provider company, and a full description of the protective services offered were not disclosed in the public filing with the Maine Attorney General's office. The provision of these services represents a tangible cost and consequence of the incident, undertaken to help safeguard the victims.

The incident represents a significant compromise of personal financial data, given the combination of payment card numbers with the associated authentication codes and passwords. This type of data combination provides malicious actors with the necessary information to conduct fraudulent transactions and potentially gain unauthorized access to financial accounts. The scale of the breach, affecting nearly seven million individuals, underscores the substantial impact of the event. The targeting of a major healthcare organization also highlights the ongoing focus that cybercriminals have on the healthcare sector, which often manages vast amounts of sensitive personal and financial information.

The delay between the breach occurrence on May 27 and its discovery on July 6 suggests that the attackers had a considerable window of access to the systems before their presence was detected. This period of undetected access likely allowed the threat actors to explore the network, identify valuable data repositories, and exfiltrate the information without raising immediate alarms. The subsequent period from discovery on July 6 to the planned consumer notification on December 14 indicates a complex and lengthy forensic investigation was necessary to determine the full scope of the compromise, identify all affected individuals, and coordinate a large-scale response.

The regulatory filing was made with the Office of the Maine Attorney General, specifically within its Consumer Protection division focusing on Privacy, Identity Theft, and Data Security Breaches. This filing is a legal requirement under state law following a data breach that affects residents of Maine. The document submitted includes a copy of the notice that was sent to the affected Maine residents, titled "AG Notice - ME - Delta Dental + Affiliates.pdf." This ensures transparency and provides a public record of the event and the organization's response to it. The filing confirms that no previous breach notifications had been issued by the entity within the twelve months preceding this incident.

The consequences of this breach are primarily financial and reputational for the organization, and they carry a high risk of identity theft and financial fraud for the millions of affected individuals. The theft of complete financial credential sets is among the most severe types of data breaches, as it directly facilitates economic crime against the victims. The organization's commitment to providing identity protection services is a direct attempt to address these risks, though the long-term effectiveness of such measures can vary. The incident required a substantial response effort, involving legal counsel, forensic cybersecurity teams, and customer support operations to manage the fallout and comply with various state notification laws. The public nature of the filing also serves to inform other organizations and the public at large about the persistent threat of cyber attacks and the importance of robust security measures to protect sensitive information.