An Alabama pediatric dental practice is notifying nearly 130,000 individuals that their sensitive information was compromised in a recent cyberattack. The entity appears to have potentially paid a ransom in exchange for a promise by hackers to destroy breached data without disclosing it.

See Also: Live Webinar | Unmasking Pegasus: Understand the Threat & Strengthen Your Digital Defense

Birmingham, Alabama-based Acadia Health LLC, which does business as Just Kids Dental, in a breach report submitted on Sept. 1 to Maine’s attorney general office said the practice’s computer systems and network were attacked by a malicious actor on Aug. 2.

“A program was used to encrypt JKD’s computer networks and data, including systems that Just Kids Dental uses to store certain patient and employee files,” a sample breach notification letter provided to the attorney general said. The incident, discovered on Aug. 8, affected patients, their parents and guardians, as well as current and former employees, Just Kids Dental said.

Affected information of patients, parents and guardians potentially includes name, address, email, phone number, birthdate, Social Security number, driver’s license number, health insurance policy information and treatment information including radiographic images, medical record number, account number and health conditions.

For current and former employees, compromised information includes name, Social Security number and local, state and federal licensing information.

The attackers did not obtain any patient banking or credit card account information in the incident, the practice said, adding that it is currently unaware of any misuse of the affected data.

“The malicious actor confirmed to JKD that it deleted the data without distributing it, so we do not expect there to be future misuse,” the notice said. “We are sending you this notice in an abundance of caution so you can take the steps you feel necessary to protect your information.”

Just Kids Dental stated that the malicious actors’ claim to have deleted the entity’s data suggests that a ransom demand was paid after negotiations with the dental practice’s insurance company, said Mike Hamilton, co-founder and CISO of security firm Critical Insight.

“Even if the records do not appear for sale in any dark markets now, there is no guarantee that they will not be monetized later,” he warned.

“Health records are especially valuable, and those of children even more so because of the pristine credit histories that can be used for financial fraud. These assurances should always be viewed as finite. The opportunity to sell the records later will continue to be a concern for those affected.”

Just Kids Dental in its report to Maine’s attorney general said it is not offering affected individuals identity or credit monitoring. Rather, the practice is encouraging affected individuals “to remain vigilant against incidents of identity theft and fraud, to monitor your account statements and to watch for suspicious or unauthorized activity.”

Just Kids Dental did not immediately respond to Information Security Media Group’s request for additional information, including confirming whether the company paid a ransom in exchange for attackers destroying stolen data and/or for a decryptor key to unlock its encrypted systems and data.

Serious Situation

Some experts say organizations in their breach notifications often try to minimize the potential impact of security incidents, including situations in which ransoms were paid to attackers in exchange for promises to destroy or return stolen data.

“I really wish organizations would stop using terms like ‘out of an abundance of caution’ in breach notifications as it downplays the seriousness of the situation and may result in impacted individuals being less cautious than they otherwise would be,” threat analyst Brett Callow of security firm Emsisoft told ISMG. “The fact is that cybercriminals had – and may very well still have – their information, and it may be misused at any future point.”

Furthermore, it generally makes no sense for organizations to pay a ransom to have stolen data supposedly deleted, Callow said. “It doesn’t undo the breach, it doesn’t alter organizations’ regulatory requirements, it doesn’t lessen potential legal liability and, perhaps most importantly, it doesn’t guarantee that the data will actually be deleted.”

When organizations pay a ransom to cyberattackers, all they’re getting “is a pinkie promise – from a criminal enterprise – that they will delete all copies of the stolen information,” he added.

Prime Targets

The attack on Just Kids Dental is one of several major security incidents affecting sensitive information of pediatric patients reported to regulators so far this year.

To date, the largest such incident in 2023 appears to be a breach reported by Florida-based MCNA insurance Co., which services many state Medicaid agencies and children’s health and dental insurance programs.

MCNA told the U.S. Department of Health and Human Services in May that hackers had compromised the personal and protected health information of nearly 9 million patients in an cyber incident discovered in March (see: Dental Health Insurer Hack Affects Nearly 9 Million).

Data compromises involving the sensitive personal and health information of pediatric patients are especially concerning, some experts say.

“Children’s records are specifically targeted because of their long ‘shelf life’,” Hamilton said. “It’s almost a bank account for the attackers, and this is strategic targeting for exactly that purpose. Extortion on the front end, records for sale much later.”