CA dental insurer reveals hackers stole social security numbers, more for nearly 7M customers

Cathie Anderson
·3 min read
2

Delta Dental of California and its affiliates have begun alerting roughly 7 million of its customers that hackers stole sensitive personal information as part of a global data breach that occurred back in May.

Like hundreds of other nonprofits, companies and government agencies affected by the MoveIt file-transfer breach, Delta Dental said it had to hire outside experts to determine how many of its customers were affected and what information was taken.

In a report to the state of Maine, Delta Dental said it began notifying customers on Thursday that they were affected. The company said hackers stole customer names with some combination of the following: addresses, social security numbers, driver’s license numbers or other state identification numbers, passport numbers, financial account information, tax identification numbers, individual health insurance policy numbers and health information.

Delta Dental of California and its affiliates cover enrollees in all 50 states, plus Washington, D.C. and Puerto Rico, the company said.

“We’re deeply committed to protecting the information entrusted to us and take issues like this very seriously,” Delta Dental spokesman Katherine Wilburn wrote in a statement to The Sacramento Bee. “Immediately after being alerted of the incident, we took steps to contain and remediate the incident and protect our data.”

The company, with the assistance of the global risk mitigation and response company Kroll “launched a thorough investigation, led by a team of independent third-party forensics, analytic and data mining experts, to determine what information was impacted and with whom it is associated,” according to the statement. That concluded Nov. 27.

Delta Dental also contracted with the New York City-based Kroll to offer affected customers 24 months of free identity monitoring services. The dental insurer also urged customers to review their various account statements and credit reports closely and to report any suspicious activity to their creditors.

The company filed a notice on Sept. 5 with the U.S. Department of Health and Human Services that it had discovered hackers were able to exploit an unknown vulnerability within Progress Software’s MoveIt data-transfer platform. Companies have used the software to securely share information with contractors, but a ransomware outfit known as Clop or C10p foiled encryption protocols and were able to get the system to transmit data to them.

C10P, in a statement released on its dark web page, said that they would not release data if companies paid a fee, to be negotiated, and that they would erase data taken from government and police agencies.

The anti-malware company Emsisoft has been keeping a running tally of people affected, and with the Delta Dental breach, the company said that more than 2,600 organizations and 90 million-plus individuals worldwide have been affected. That includes 845,441 Sutter Health patients; 1.2 million retirees with accounts in the California Public Employees’ Retirement System and the California State Teachers Retirement System; and 1.3 million Maine residents whose information was compromised through state agencies.

“It’s unclear how many more people may have been impacted by MOVEit, and it’s also unclear why, in some cases, it’s taking so long for them to be notified,” said threat analyst Brett Callow of Emsisoft. “That’s unfortunate. The sooner they are notified and get credit monitoring in place, the less likely it is that they’ll become victims of identity-related fraud.”

The global security breach has spawned dozens of lawsuits in the United States, and a multidistrict judicial panel assigned U.S. District Judge Allison Burroughs in the District of Massachusetts to oversee all the litigation. Progress Software is based in Burlington, Massachusetts.

The breach of Sutter patient data, announced in early November, already has spawned at least two lawsuits seeking class-action status, one filed by Erickson Kramer Osborne in San Francisco and another filed by Blood Hurst & O’Reardon of San Diego and Barnow Associates of Chicago.