Hacking Group Claims Responsibility for Multi-Million-Record DentaQuest Data Breach
Wellesley, MA-based DentaQuest, a dental benefits administrator that manages the benefits for 32 million Americans, has announced it is actively managing a cybersecurity incident involving unauthorized access to a limited part of its network. According to its website notice, immediate action was taken to contain and mitigate the threat, and the company is working with a leading cybersecurity expert, forensic investigators, and law enforcement authorities.
DentaQuest, part of Sun Life U.S. Dental, is the largest Medicaid and Children’s Health Insurance Program dental benefits administrator in the country, operating in 50 U.S. states. The company has yet to determine the exact scope of the incident and the extent to which sensitive data has been compromised. The company has promised to update clients and ensure that they receive information as quickly and transparently as possible.
The digital extortion group ShinyHunters has claimed responsibility for the incident and has added DentaQuest to its dark web data leak site. The group specializes in data theft and extortion and claims to have exfiltrated 234 GB of data from DentaQuest systems. ShinyHunters explained on its data leak site that it has attempted to negotiate a ransom payment with DentaQuest to prevent the publication of stolen data, but despite exercising considerable patience and making multiple offers, it failed to reach an agreement with DentaQuest. As a result of the failure, ShinyHunters proceeded to leak the stolen data.
Have I Been Pwned (HIBP) has analyzed the leaked data, which contains the unique email addresses of 2.6 million individuals, along with names, addresses, phone numbers, dates of birth, and genders. HIBP said the leaked data appears in healthcare enrollment files (ASC X12 transaction sets), some of which include information such as Medicaid IDs, other government-issued IDs, and health insurance information. Around 66% of the records exposed were already in its database, having been breached in previous incidents.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Social Security numbers do not appear to have been stolen or leaked, so the affected individuals do not face an immediate threat of identity theft; however, since email addresses and contact information have been leaked, they do face an increased risk of social engineering and phishing attacks. If the data breach is confirmed as affecting 2.6 million individuals, it will rank as one of the largest healthcare data breaches of the year to date.
