As people headed out for the holiday weekend, breaches of protected health information were being disclosed. (2)
Update: The MCNA (Managed Care of North America) incident was reported to the Maine Attorney General’s Office as affecting a total of 8,923,662 people.
Update 2, May 29: This incident was claimed by LockBit in March and data were leaked in April, but the data dump URLs were not working as of last check yesterday.
What are the odds that a data breach will be revealed on the Friday afternoon of a three-day holiday weekend?
Well, as anyone who has reported on breaches for a while knows, the odds are high. Today, DataBreaches reports two breaches that were disclosed on Friday. Whether the hope was that fewer people would notice them because they took off for the holiday or because there were more honorable intentions in disclosing on a Friday of a holiday weekend is unknown to DataBreaches. DataBreaches may find other Friday disclosures, but for now, we start with these:
MCNA Insurance (also known as MCNA Dental) disclosed a hacking incident with data exfiltration that affected more than 100 covered entities including state Medicaid agencies, the Children’s Health Insurance Programs, corporations, and insurance plans. A list of the 112 entities on whose behalf MCNA is providing notification is listed on an incident response website created for them by IDX.
According to the Georgia firm’s disclosure, the unauthorized access occurred between February 27 and March 7, and was discovered on March 6. The types of information varied by individual, but may have included:
- First and last name
- Date of birth
- Phone number
- Email address
- Social Security number
- Driver’s license number/other government-issued ID number
- Health insurance (plan information, insurance company, member number, Medicaid-Medicare ID numbers)
- Care for teeth or braces (visits, dentist name, doctor name, past care, x-rays/photos, medicines, and treatment)
- Bills and insurance claims
Data was not only accessed but was also exfiltrated. MCNA’s notification did not indicate how many patients were affected for the 112 entities for who they are providing notice, and other entities may be providing their own notice.
DataBreaches sent MCNA an email inquiry asking if there was any ransom or extortion demand involved in this incident at all. No reply was immediately provided (see UPDATE 2 above this post).
Onix Group LLC
Onix Group LLC in Pennsylvania also issued a press release yesterday. Their notice was provided on their own behalf and on behalf of Addiction Recovery Systems, Cadia Healthcare, Physician’s Mobile X-Ray, and Onix Hospitality Group.
Onix reports they were the victim of a ransomware attack on March 27 and the attacker had accessed their network, corrupted some systems, and exfiltrated some files between March 20 and March 27.
The types of protected health information involved included names, Social Security numbers, dates of birth, and scheduling, billing, and clinical information regarding patient care at one of the named healthcare providers.
The files that were accessed also contained information maintained for human resources purposes, including names, Social Security numbers, direct deposit information, and health plan enrollment information for all of the named entities.
Onix did not name the group or threat actor responsible for the attack or whether any of the data was irretrievably corrupted or lost. An email inquiry has been sent to them, too.