HQ/EMEAFind out how we can help your business
MCNA Insurance, a prominent insurance provider serving numerous state Medicaid agencies and children’s health insurance programs, recently alerted regulators about a security breach that exposed the protected health information of about 9 million patients.
The incident, discovered in March, prompted the company to file a data breach notification letter with the Maine state attorney general’s office, revealing that unauthorised access was detected on March 6. Further investigation revealed the presence of malicious code infecting specific systems within the MCNA network.
Numerous sensitive patient data were involved in the MCNA Insurance data breach.
MCNA Insurance is a trusted dental and orthodontic care service provider catering to select state Medicaid agencies and the Children’s Health Insurance Program members. Their expertise lies in offering eligible individuals comprehensive dental benefits and specialised services.
Following an extensive investigation, MCNA Insurance has confirmed that the attackers successfully compromised highly sensitive patient information. The exposed patient details are full names, birthdates, addresses, phone numbers, email addresses, social security numbers, and driver’s licenses or government-issued ID numbers.
The breach also resulted in unauthorised access to patients’ health data, including plan names, insurer details, government payor information, member/Medicaid/Medicare ID numbers, plan and group numbers, and comprehensive dental and orthodontic care information.
Notably, the breach encompassed parents, guardians, and guarantors responsible for bill payments. The attackers could also obtain comprehensive patient records, comprising details about visits, dentists, doctors, past care, X-rays/photos, prescribed medications, and received treatments.
MCNA Insurance clarified that the extent of data compromise varied among individuals affected, indicating that the impact was not uniform across all affected parties.
In a breach notification letter, MCNA Insurance revealed that an unauthorised third party had access to specific systems and stolen copies of data between February 26 and March 7, 2023.
The company also disclosed a list of over 100 organisations affected by the breach, including the Arkansas Department of Human Services, the City of New York Management Benefit Fund, Florida Healthy Kids Corporation, the Idaho Department of Health and Welfare, the Iowa Department of Human Services, Louisiana Department of Health, and Nebraska DHHS.
