Between February 7th and March 7th 2023, hackers were able to breach over the personal information of almost 9 million individuals in the United States from a major dental insurance company, MCNA. The information stolen includes a trove of patients’ personal data, including names, addresses, dates of birth, phone numbers, email addresses, social security numbers and driver’s licenses or other government-issued ID numbers. Hackers also accessed patients’ health insurance data, including plan information and Medicaid ID numbers, along with bill and insurance claim information.
In some cases, some of this data pertained to a patient’s “parent, guardian, or guarantor” according to MCNA Dental, suggesting that children’s personal data was accessed during the breach. There is limited information as to how the hackers were able to gain access, only that LockBit was able to gain unauthorized access to the MCNA network and plant ransomware affecting a total of 8.9 million accounts.
An interesting detail regarding this hack is how MCNA handled the demands of the hackers, and the implications of doing so. A total of 700 GB of information was stolen by the LockBit ransomware group released the stolen data to the public in early April, after MCNA refused a ransom demand of $10 million, though there was no data breach notification posted to the public until May 26.
This also means that impacted victims are facing a wave of fraud, theft and phishing attempts as their information is dispersed onto dark web sites.
How Different International Standards View Ransomware Attacks
ISO 27001 – ISO 27001 doesn’t explicitly mention any kind of process or procedure for handling a ransomware attack, it elects to focus on more broad impact assessment and future mitigation techniques with additional emphasis on ensuring any third parties handling company data adhere to similar standards.
NIST Framework – NIST offers some prevention techniques against ransomware attacks, in particular, on its Special Publication 800-53 where it offers security and privacy controls designed to help detect, prevent and respond to ransomware attacks. This is consistent with NIST’s risk-based approach to cyber security.
Several more cyber security standards and frameworks such as PCI-DSS, GDPR, CIS and others approach ransomware attacks in a similar way, some do not explicitly mention ransomware and prefer to use an umbrella term such as malware, combined with mitigation and prevention techniques against such attacks.