Cyber Incident Victim: Alberta Dental Service Corporation

On or around May 7, 2023, an unauthorized third party gained access to a portion of the Alberta Dental Service Corporation (ADSC) IT infrastructure. ADSC, which works in partnership with the Government of Alberta to administer dental benefits, did not detect this initial intrusion. The threat actor remained within the network for a period of over two months. During this time, the unauthorized party accessed and copied certain data from the ADSC network. The specific nature of the data accessed during this period was not immediately known. The incident was discovered on July 9, 2023, when the threat actor deployed malware which encrypted certain ADSC systems and data, rendering them temporarily inaccessible. This action prompted the discovery of the breach.

Upon discovery of the malware encryption, ADSC immediately deployed countermeasures to secure its network and data from further unauthorized access. The organization engaged third-party cybersecurity experts to assist with the containment and remediation efforts. A forensic investigation was also launched to determine the full nature and extent of the incident. Due to the availability of backups, ADSC was able to recover the affected systems and data with only minimal data loss. The ongoing investigation determined that the period of unauthorized access, or compromise, spanned from May 7, 2023, to July 9, 2023. Following the containment, ADSC undertook a detailed review of the affected data to identify which specific individuals and information had been impacted.

The data impacted in the incident belonged to individuals and dental providers served through various Government of Alberta dental programs. These programs include the Dental Assistance for Seniors Program (DASP) and Alberta’s Low-Income Health Benefits Program, which encompasses Assured Income for the Severely Handicapped (AISH), Alberta Adult Health Benefit, Alberta Child Health Benefit, and Income Supports. The Government of Alberta is the custodian of the personal health information in ADSC’s possession that was impacted. ADSC’s assessment concluded that affected individuals and organizations were at risk of harms including phishing, embarrassment, hurt, or humiliation as a result of the incident. For those individuals and organizations whose banking information was impacted, there was an additional risk of potential fraud or identity theft. This risk assessment considered the malicious actions of an unidentified third party and the specific types of information that were accessed.

ADSC reported the cybersecurity incident to law enforcement. The organization also took steps to ensure that any personal information which was accessed or copied from its systems had been deleted and was protected against fraudulent misuse, though the specific methods for accomplishing this were not detailed publicly. To notify those affected, ADSC established a dedicated call centre and created a dedicated webpage to provide information. Direct mail notifications were sent to DASP clients who may have had their personal banking information impacted. Individuals who believed their banking information was on file but did not receive a letter by August 25, 2023, were instructed to contact the call centre. Notifications for other impacted individuals were planned to be sent out shortly after the initial mailing to those with compromised banking data. The call centre, reachable at a provided toll-free number, operated from Monday through Friday, 8:00 AM to 8:00 PM EST, with weekend hours from 9:00 AM to 5:00 PM EST.

In response to the breach, ADSC stated it was working with leading third-party cybersecurity experts to complete a comprehensive investigation. The organization also implemented enhanced security safeguards with the stated goal of better preventing an incident of this nature from occurring in the future. ADSC acknowledged that while it had security measures in place that allowed for prompt action against attempted intrusions, and those measures were implemented in this instance, such incidents are not always preventable. The public notification also informed individuals of their right to ask the Information and Privacy Commissioner of Alberta to investigate the incident, providing the physical addresses for the Commissioner's offices in Calgary and Edmonton.