Delta Dental of California was struck with a data hack that exposed the personal information of nearly 7 million patients, becoming the latest casualty of the MOVEit Transfer software breach that has affected more than 2,600 organizations mostly in the U.S.
Delta Dental of California is one of the latest organizations to confirm it is a victim of the global hacking spree by the Russian CLOP ransomware gang that has used a vulnerability in Progress Software’s managed file transfer software MOVEit to infiltrate companies’ networks. Currently, this sweeping attack has affected an estimated 90 million people.
The dental insurance carrier and its affiliates stated that hackers breached health data, including information shared in association with dental procedures and claims payments, according to a data breach notification filed on December 14.
Sensitive information that has been affected include names along with some combination of the following data:
- Social Security numbers
- Driver’s license numbers
- Financial accounts
- Tax identification numbers
- Health information
On June 1, Delta Dental learned that its data had been hacked. On July 6, an investigation revealed that Delta Dental was hit between May 27 and May 30 by the MOVEit breach. Third-party forensic experts hired by the insurer confirmed what type of information was compromised and with whom it was associated, according to the notification.
Additionally, Delta Dental notified law enforcement of the attack. The dental insurer concluded its investigation on November 27.
In June, the U.S. Cybersecurity and Infrastructure Security Agency and the FBI published an advisory recommending actions and mitigations to protect and limit the damage that the CLOP ransomware gang has caused as a result of exploiting a vulnerability in MOVEit.
In May, the cybercriminals, also known as TA505, began taking advantage of an unknown structured query language injection vulnerability in a MOVEit transfer. Specific malware used by CLOP infected internet-facing MOVEit web applications, allowing the gang to steal data from the software’s underlying databases, according to the advisory.
On July 16, the U.S. State Department of Diplomatic Security Service Rewards for Justice offered a $10 million reward for tips leading to the identification and apprehension of the cybercriminals. Since the advisory, new victims have come forward, including the Shell Company, the U.S. Department of Energy, the BBC, Johns Hopkins University, American Airlines, Siemens Energy, Estee Lauder, and Shutterfly as well as hundreds of educational institutions, including University of the Pacific, West Virginia University, Vanderbilt University, the University of San Francisco, and the University of Richmond.