Delta Dental of California discloses nearly 7M patients affected in MOVEit hack

The long tail of the MOVEit Transfer breach has struck again.

The latest disclosure comes from Delta Dental of California, which notified nearly 7 million patients that they experienced a data breach after personal data was exposed in the MOVEit Transfer software case.

In a data breach notification filed Dec. 14, Delta Dental of California and its affiliates said that threat actors accessed certain protected health information, including information shared in connection with dental procedures and claims payments.

Impacted information included names with some combination of the following data points: addresses, Social Security numbers, driver’s license numbers or other state identification numbers, passport numbers, financial account information, tax identification numbers, individual health insurance policy numbers, and/or health information.

According to the CVE-2023-34362 posting by the National Institute of Standards and Technology, the MOVEit software was vulnerable to a zero-day SQL injection bug that leads to remote code execution, which the Cl0p ransomware gang exploited to breach Progress Software’s popular file transfer app.

Emsisoft has estimated that 2,667 organizations have disclosed breaches via the MOVEit bug affecting nearly 84 million people. The Emsisoft blog said 78.4% of the organizations disclosing breaches are based in the United States, while 13.8% of the victims are based in Canada.  

Delta Dental of California said that it first learned of the breach on June 1, which was when the case started to be widely reported. Following an investigation on July 6, Delta Dental confirmed that it was exposed to the MOVEit breach between May 27 and May 30. The dental insurance company then hired third-party experts in computer forensics, analytics and data mining to determined what information was impacted and with whom it’s associated. Along with its own investigation, Delta Dental of California also notified law enforcement.

Security pros call for teams to remediate MOVEit issue 

News that the zero-day vulnerability is still being exploited should serve as a wakeup call to every organization to remediate the MOVEit issue immediately, said Teresa Rothaar, governance, risk, and compliance analyst at Keeper Security. Rothaar said all organizations should take a proactive approach to regularly updating software and immediately patching vulnerabilities that are being actively exploited in the wild.

“Organizations must ensure they have a patch deployment process defined and written down, with emergency levers for critical vulnerabilities,” said Rothaar. “While not every attack can be prevented, teams can take steps to mitigate the access of cybercriminals and minimize impacts on systems, data and operations. The most effective method for minimizing sprawl in an attack does occur is by investing in prevention with a zero-trust and zero-knowledge cybersecurity architecture that will limit, if not altogether prevent, a bad actor’s access."

Bud Broomhead, chief executive officer at Viakoo, added that it was known that the MOVEit vulnerability would have a long-term impact when it was announced in June. It’s likely we will continue to see announcements like this as organizations come to terms with whether their data was exfiltrated and to what extent customer data was included, he said.

“Because of the scale that MOVEit operates at, one might suspect this and previous breaches reported are truly the tip of the iceberg,” said Broomhead. “Kudos to Delta Dental of California for having the forensics in place to make these determinations, but not all organizations will be capable of doing that. What’s surprising is the ‘depth’ of data that was included: why would my dental insurance company need to retain passport numbers or other detailed personal information? Organizations should reconsider what data truly needs to be retained within personal records and reduce it to a minimum.”

John Gunn, chief executive officer of Token, added that in this case, the cybercriminals scored a trove of valuable data — most of which has already been resold many times on the dark web.

“This leaves victims with nothing more than what’s likely their third or fourth notification — with yet another offer of free credit monitoring, and a lot of risk and hassle,” said Gunn.