More than 100 Agencies, Health Entities Impacted by Data Breach Discovered in March
An insurance provider that services many state Medicaid agencies and children’s health insurance programs told regulators that hackers compromised the personal and protected health information of nearly 9 million patients in an incident discovered in March.
Fort Lauderdale, Florida-based MCNA insurance Company, in a data breach notification letter filed with the Maine state attorney general’s office, said it detected unauthorized access to certain MCNA systems on March 6 and discovered that certain systems within the network were infected with malicious code.
The company also listed over 100 affected organizations impacted by the breach that includes the Arkansas Department of Human Services, the City of New York Management Benefit Fund, Florida Healthy Kids Corporation, the Idaho Department of Health and Welfare, the Iowa Department of Human Services, Louisiana Department of Health, Nebraska Department of Health and Human Services.
MCNA is a provider of dental and orthodontic care to members of certain state Medicaid agencies and the Children’s Health Insurance Program, for which they provide dental benefits and services.
“Through its investigation, MCNA determined that an unauthorized third party was able to access certain systems and remove copies of some personal information between February 26, 2023, and March 7, 2023,” the firm said in a sample breach notification letter.
MCNA’s investigation found that the attackers were successful and that affected patient personal information may include full name, date of birth, address, telephone, email, social security number, and driver’s license number or government-issued ID number.
The health data includes insurance information such as the name of plan/insurer/government payor, member/Medicaid/Medicare ID number, plan and/or group number and information regarding dental/orthodontic care. This information covered parents, guardians and guarantors, who paid the bill.
The attackers could also accessed data about patient visits, dentist names, doctor names, past care, X-rays/photos, medicines and treatment.
The extent to which data was compromised “was not the same for everyone,” the firm said.
As of Friday, the MCNA Insurance incident did not yet appear on the U.S. Department of Health and Human Services website listing health data breaches affecting 500 or more individuals.