Delta Dental of California and affiliates disclosed a data breach following a global security incident linked to the vulnerability in MOVEit file transfer software by Progress Software.
According to a breach notification filed with the Maine Attorney General on December 14, unauthorized actors accessed protected health information.
The exposed data includes individuals’ names coupled with a mix of addresses, Social Security numbers, driver’s license numbers, state identification numbers, passport details, financial account information, tax identification numbers, individual health insurance policy numbers and/or health-related information.
Delta Dental discovered the breach on June 1 2023, reportedly launching an investigation and taking corrective measures.
On July 6 2023, it was confirmed that unauthorized access occurred between May 27 and May 30, affecting approximately 7 million individuals. The investigation concluded on November 27 2023, with law enforcement notified.
Claude Mandy, chief evangelist of data security at Symmetry Systems, noted that the delay in detecting, responding to and identifying the accessed data and individuals impacted is unsurprising.
“To determine this typically relies on specialist digital forensic and incident response providers who need to forensically comb through logs and individual data objects using a combination of forensic tools and deep cybersecurity expertise to piece together what happened down to the individual data objects,” Mandy explained.
“Modern data security tools can speed up the identification of what data is impacted, particularly at scale, so hopefully, we will see these timeframes reduced as these tools get adopted.”
Delta Dental said it is notifying affected individuals and providing support services. Individuals are advised to monitor financial statements and report suspicious activity. A hotline is available at 800-693-2571.
“There are proactive steps individuals impacted by the Delta Dental breach can take to limit their exposure,” commented Teresa Rothaar, governance, risk and compliance analyst at Keeper Security.
“[These include] changing login info for their compromised accounts, utilizing a dark web monitoring service to check for leaked credentials, monitoring or freezing their credit reports and practicing good cyber hygiene.”
The MOVEit vulnerability has impacted thousands of organizations globally, from corporations to government agencies.
Read more on it here: Critical Zero-Day Flaw Exploited in MOVEit Transfer
“From when it was first announced, we knew that there would be a long-term impact from the MOVEit vulnerability” commented Viakoo CEO, Bud Broomhead.
According to the executive, the surprising part is the “depth” of included data; the need for dental insurance companies to retain passport numbers or other detailed personal information is perplexing.
“Organizations should reconsider what data truly needs to be retained within personal records and reduce it to a minimum. Any data that does need to be retained should be encrypted at all stages of its journey and have digital watermarking to help determine if it has been exfiltrated through a cyber breach.”