Delta Dental of California discloses 7M patients affected in MOVEit hack

Delta Dental of California reported a data breach affecting 7 million patients, exposing personal data through the MOVEit Transfer software.

Emsisoft has estimated that nearly 3,000 organizations have reported data breaches due to the MOVEit bug, which has affected nearly 84 million individuals. One of the most recent disclosures came from Delta Dental of California, which notified almost 7 million patients that their personal data was exposed in the MOVEit Transfer software case.

In a data breach notification filed on December 14, Delta Dental of California and its affiliates revealed that threat actors accessed certain protected health information, including data shared in connection with dental procedures and claims payments. The impacted information included names, along with a combination of addresses, Social Security numbers, driver's license numbers, passport numbers, financial account information, tax identification numbers, individual health insurance policy numbers, and health information.

The MOVEit software was found to be vulnerable to a zero-day SQL injection bug that led to remote code execution, which was exploited by the Cl0p ransomware gang to breach Progress Software's popular file transfer app, according to the CVE-2023-34362 posting by the National Institute of Standards and Technology.

Emsisoft's blog revealed that 78.4% of the organizations disclosing breaches are based in the United States, while 13.8% of the victims are based in Canada. Delta Dental of California first learned of the breach on June 1 and confirmed that it was exposed to the MOVEit breach between May 27 and May 30, following an investigation on July 6. The company then hired third-party experts in computer forensics, analytics, and data mining to determine the impacted information and notify law enforcement.

Teresa Rothaar, a governance, risk, and compliance analyst at Keeper Security, emphasized the importance of organizations taking a proactive approach to regularly updating software and immediately patching vulnerabilities that are being actively exploited in the wild. She also stressed the need for organizations to have a defined patch deployment process with emergency levers for critical vulnerabilities.

Bud Broomhead, CEO of Viakoo, suggested that the MOVEit vulnerability would have a long-term impact, and it's likely that more organizations will come forward with announcements of data breaches. He urged organizations to reconsider what data truly needs to be retained within personal records and reduce it to a minimum.

John Gunn, CEO of Token, highlighted the severity of the situation, noting that cybercriminals scored a trove of valuable data, which has likely been resold many times on the dark web. He emphasized that this leaves victims with little more than repeated notifications and offers of free credit monitoring, along with a lot of risk and hassle.

Share With Others