Delta Dental of California and its affiliates have disclosed a data breach following a global security incident related to the vulnerability in Progress Software’s MOVEit file transfer software.
According to a breach notification filed with the Maine Attorney General on December 14, unauthorized actors accessed protected health information.
Exposed data includes individuals’ names associated with a mixture of addresses, social security numbers, driver’s license numbers, state identification numbers, passport details, financial account information , tax identification numbers, individual health insurance policy numbers and/or health-related information.
Delta Dental discovered the flaw on June 1, 2023, and reportedly launched an investigation and took corrective action.
On July 6, 2023, unauthorized access was confirmed to have occurred between May 27 and 30, affecting approximately 7 million people. The investigation concluded on November 27, 2023 and law enforcement was notified.
Claude Mandy, Chief Data Security Evangelist at Symmetry systemsnoted that the delay in detecting, responding and identifying the data accessed and the individuals involved is not surprising.
“Determining this typically requires the use of specialist digital forensics and incident response vendors, who must forensically examine logs and individual data objects using a combination of forensic tools and deep cybersecurity expertise to piece together what happened to individual data objects,” Mandy explained. .
“Modern data security tools can accelerate the identification of affected data, especially at scale. We therefore hope that these delays will be reduced as these tools are adopted. »
Delta Dental said it did inform the people concerned and provide support services. Individuals are advised to monitor financial statements and report any suspicious activity. A hotline is available at 800-693-2571.
“There are proactive steps that those affected by the Delta Dental breach can take to limit their exposure,” commented Teresa Rothaar, governance, risk and compliance analyst at Security guard.
“(These include) changing the login credentials of their compromised accounts, using a dark web monitoring service to verify leaked credentials, monitoring or freezing their credit reports and practicing good cyber hygiene.”
The MOVEit vulnerability affected thousands of organizations around the world, from businesses to government agencies.
To learn more, click here: Critical Zero-Day Flaw Exploited in MOVEit Transfer
“From the first announcement, we knew that the MOVEit vulnerability would have a long-term impact,” commented Viakoo CEO, Bud Broomhead.
According to the executive, what is surprising is the “depth” of the data included; the need for dental insurance companies to retain passport numbers or other detailed personal information is puzzling.
“Organizations should reconsider what data should actually be kept in personnel records and reduce it to a minimum. All data that must be retained must be encrypted at all stages of its journey and digitally watermarked to help determine whether it has been exfiltrated following a cyber breach.