Nevada Dental Practice Notifying 1.2 Million of Hack

A Nevada dental practice is notifying more than 1.2 million individuals of a hacking incident that compromised sensitive health and personal information.

See Also: OnDemand | Transforming Third-Party Cyber Risk Management: From Compliance to Actionable, Automated, and Risk-Based Programs

Absolute Dental initially reported the hacking incident to federal regulators in May as affecting a placeholder estimate of 501 people. But this week the practice significantly increased that estimate on breach reports filed to some state attorneys general.

The practice’s description in a breach notice of the incident involved the “inadvertent execution of a malicious version of a legitimate software tool, which occurred through an account associated with Absolute Dental’s third-party managed services provider,” suggests to some experts that it might have been among a rash of recent attacks involving Salesforce applications.

“The language used in the breach report suggests that a service provider was compromised and that access, which likely included email, was used to contact one or more users at Absolute, claimed to be working on a technical issue and had the user run an application to ‘fix’ the problem,” said Mike Hamilton, field CISO at security firm Lumifi Cyber and former CISO of the city of Seattle. “That application provided the initial access to the threat actors,” he said.

The incident at Absolute appears to fit similar descriptions of some entities hit by attacks involving Salesforce apps, but the February to March timing of the unauthorized access to Absolute systems could be months earlier than most of the reported Salesforce-related incidents so far.

In a wave of attacks that began earlier this summer, hackers have impersonated IT support staff in phone-based vishing attacks, tricking employees into installing malicious versions of Salesforce’s Data Loader connected app (see: Salesforce, Okta Targeted by Telephone Wielding Hackers).

Whether the Absolute Dental incident was among this recent attack trend or not, “the majority of successful breaches start with credential theft or impersonation combined with poor vulnerability management, asset management and segmentation practices, so ShinyHunter is not unique in their execution,” said Zach Moore, senior manager of cybersecurity at NWN, a vendor of AI-enabled security products.

“Similar tools and practices are needed to protect against this campaign versus all cyber attackers and ransomware campaigns,” he said.

Overall, the Absolute Dental incident “sounds like a combination of a supply chain attack – malicious version of a legitimate software tool – combined with a credential compromise from a partner admin account,” he said. “These types of accounts often see less security controls and oversight,” he said.

“Better account controls and zero trust would limit the damage a single account could do if compromised and more effective MDR would quickly identify malicious activity and isolate compromised endpoints,” he said.

Absolute Dental did not immediately respond to Information Security Media Group’s request for additional details about the breach, including the identity of the software tool or the third-party vendor involved.

Breach Details

Absolute Dental, which has over 50 dental locations throughout Nevada, said it became aware on Feb. 26 of a potential issue involving its information systems. An investigation determined that an unauthorized party accessed some of its systems between Feb. 19 and March 5.

Information potentially affected in the incident includes name, contact information, date of birth, Social Security number, driver’s licenses, passport data and health information.

The type of affected health information includes medical history, treatment and diagnosis information, explanation of benefits, health insurance information, medical record number and patient identification number. A “small number” of individuals may have had their financial account and payment card information also compromised, Absolute Dental said.

The practice said it notified law enforcement about the incident. Absolute Dental as of Friday faces at least one proposed federal class action litigation involving the data breach so far, but several other law firms have also issued public statements in recent days saying they too are investing the incident for potential lawsuits.