December 18, 2023
In the ever-evolving landscape of cybersecurity, vigilance is key. Recently, Delta Dental of California faced the brunt of a cyberattack, highlighting the imperative need for robust security measures. At Abyde, we believe in keeping our community informed to fortify defenses against potential threats. Here’s a closer look at the Delta Dental MOVEit breach and insights on strengthening your cybersecurity posture.
Understanding the Breach
Delta Dental of California, an esteemed provider of dental insurance to 45 million individuals, fell victim to the Clop hacking group’s exploitation of a zero-day vulnerability in Progress Software’s MOVEit Transfer solution. This breach, affecting a staggering 6,928,932 dental plan members, underscores the critical importance of cybersecurity in safeguarding sensitive information.
Timeline of Events
The breach unfolded when Delta Dental identified an SQL injection vulnerability (CVE-2023-34362) in MOVEit Transfer on June 1, 2023. Despite Progress Software swiftly releasing an emergency patch on May 31, 2023, the Clop group had exploited the flaw between May 27 and May 30, 2023. The aftermath saw unauthorized access and data exfiltration from Delta Dental’s MOVEit server.
Response and Analysis
Delta Dental responded promptly, engaging third-party computer forensics experts to conduct a thorough analysis. The complexity of the breach required meticulous scrutiny, leading to the finalization of the affected individuals and data types on November 27, 2023. Notification letters commenced distribution on December 14, 2023.
Protective Measures for Affected Individuals
In an effort to mitigate the impact on affected individuals, Delta Dental has taken proactive steps. Those affected are being offered 24 months of complimentary credit monitoring and identity theft protection services. This measure aims to empower individuals to monitor and protect their personal information during this challenging time.
Learning from the Incident
While Delta Dental emphasized that this was a mass exploitation incident affecting numerous companies, the magnitude of the breach sets it apart. With nearly 7 million individuals affected, it stands as the third-largest healthcare MOVEit-related breach reported.
HIPAA Compliance and Notification
Delta Dental adhered to the HIPAA Breach Notification Rule, reporting the breach to the HHS’ Office for Civil Rights on September 6, 2023, within the stipulated 60-day timeframe. The intricate process of identifying affected individuals and data involves digital forensic and incident response providers, highlighting the complexities of incident response.
At Abyde, we advocate for a proactive approach to cybersecurity and compliance. Regularly updating and patching software, conducting comprehensive risk assessments, and fostering a culture of compliance are crucial components of a resilient HIPAA compliance strategy. Abyde is here to guide you on your journey to enhanced security and privacy. Reach out to one of our experts today to learn more! Call 800.594.0883 or email info@abyde.com.