Breach Notification , Business Continuity Management / Disaster Recovery , Critical Infrastructure Security

American Dental Association Hit by Disruptive Cyber Incident

Attack Allegedly Involved 'Black Basta'; Tenet Health Hit in Separate Incident
American Dental Association Hit by Disruptive Cyber Incident
The American Dental Association, based in Chicago, says it is "experiencing a cyber incident."

The American Dental Association allegedly has been hit with attack by "Black Basta," a new ransomware group. ADA is the latest medical professional organization dealing with a cyber incident disrupting services and potentially affecting members' information.

See Also: Gartner Guide for Digital Forensics and Incident Response

The ADA in a statement Wednesday to Information Security Media Group says the cybersecurity incident was discovered last Friday, causing a disruption to certain systems, including membership services software Aptify, and ADA email, telephone and Web chat. "Upon discovery, the ADA immediately responded by taking affected systems offline and commenced an investigation into the nature and scope of the disruption," the statement says.

"We are working diligently with third-party cybersecurity specialists to investigate the impact on ADA systems and restore full system functionality. At this time, there is no indication any member information or other data has been compromised, however our investigation is still underway," the statement says.

The ADA says it has notified federal law enforcement authorities and is cooperating in an active investigation.

Media site Bleeping Computer has reported that the ADA incident was launched by ransomware group Black Basta.

But the ADA, in its statement to ISMG, did not specifically address whether its incident involved Black Basta or other ransomware. "The ADA recognizes unsubstantiated reports are being circulated by organizations with no connection to this investigation. The ADA is working closely with third-party cybersecurity specialists and federal authorities and will share updates as they become available," the statement says.

On its website, the ADA says it is the largest dental association in the U.S., representing 161,000 dentist members.

Disrupted Services

On Wednesday, the organization's website featured a banner message saying, "The ADA is experiencing a cybersecurity incident. We appreciate your patience and are working to get systems running smoothly."

But the incident has also affected some state dental associations, including the New York State Dental Association.

A notice on the New York State Dental Association's website, dated Monday but removed by Wednesday afternoon, said that the ADA "recently" had experienced a cybersecurity incident that caused a temporary disruption to certain computer systems.

"Upon discovery, ADA immediately responded by taking affected systems offline to secure its network and commencing an investigation into the nature and scope of the disruption," the NYSDA notice said. "ADA is working diligently to restore full and secure functionality to our network."

NYSDA posted a notice on its website Monday about the ADA incident.

Black Basta Assault?

Security researchers at MalwareHunterTeam, which operates a website to help victim organizations identify the ransomware used to encrypt their files, on Tuesday tweeted that ADA had been "powned" by ransomware group Black Basta.

Bleeping Computer reported on Tuesday that a posting, which now appears to have been removed, on the Black Basta site on the dark web claimed to have leaked approximately 2.8GB of ADA data, which the group alleged is 30% of the data it stole in the attack.

The allegedly affected ADA data includes W2 forms, accounting spreadsheets and information on ADA members from screenshots shared on the data leak page, Bleeping Computer reported.

"Black Basta is a new operation that seems to be picking up pace," says Brett Callow, a threat analyst at security firm Emsisoft. "The ransomware appears to be unrelated to other strains and, unfortunately, is secure - meaning that the only ways to recover encrypted data are by replacing it from backups or by paying the ransom."

In general, when an allegedly breached organization is removed from a dark web leak site listing, "it may indicate either that the organization paid or that it agreed to come to the negotiating table," Callow says.

Based on publicly available information related to the ADA incident, the attack "looks pretty standard," says Erick Galinkin, principal artificial intelligence researcher as security firm Rapid7.

"The Black Basta group, which is relatively new on the scene, hasn't been around long enough to know much about their TTPs, or IoCs in general, but their motive, like many cybercrime gangs, is likely money, first and foremost," he says. "We're keeping an eye out on telemetry and their leak site to assess any trends in their targeting, but to date, they've only publicly disclosed two targets."

Tenet Health Incident

In addition to the attack on ADA, Dallas-based Tenet Health, which operates 60 hospitals and about 550 outpatient centers and additional healthcare sites in several states, on Tuesday issued a statement saying the organization last week experienced a cybersecurity incident. "The Company immediately suspended user access to impacted information technology applications, executed extensive cybersecurity protection protocols, and quickly took steps to restrict further unauthorized activity," the statement says.

In its statement, Tenet says efforts to restore affected IT operations continue to make progress. "While there was temporary disruption to a subset of acute care operations, the Company’s hospitals remained operational and continued to deliver patient care safely and effectively, utilizing well-established backup processes. At this time, critical applications have largely been restored and the subset of impacted facilities has begun to resume normal operations."

Tenet says the company also launched an investigation of the incident and is taking "additional measures to protect patient, employee and other data, as appropriate, in response to this incident."

Tenet did not immediately respond to ISMG's request for additional details about its incident, including whether ransomware was involved.

Other Breaches

The ADA is not the only dental industry organization to suffer a recent cyber incident. Last October, the Professional Dental Alliance, which owns dental practices in 15 states, notified more than 170,000 individuals of a March 2021 phishing incident involving an affiliated vendor, North American Dental Management, which provides nonclinical management services to dental practices owned by PDA.

Also, last month, Texas-based JDC Healthcare Management, which operates under the name Jefferson Dental & Orthodontics and boasts of being "the official dentist" of a National Basketball Association team, reported a hacking incident affecting 1 million individuals (see: 'Official Dentist' of NBA Team Says Hack Affected 1 Million).

ADA is also among the latest medical professional organizations hit by hacking incidents. Last October, the American Osteopathic Association, which represents 151,000 osteopathic physicians and medical students across the U.S., notified nearly 28,000 individuals about a June 2020 data exfiltration incident involving their personal information.

Also, last April, the American College of Emergency Physicians reported that a "malware" attack detected on Sept. 7, 2020, affected more than 70,000 of the group's current and former members, as well as members of three other emergency medical professional organizations.

Sensitive Data

The information compromised through the security incidents involving an organization that serves the medical community is especially sensitive because it can expose the individuals whose data was disclosed to significant financial fraud or harm to their reputation, says privacy attorney David Holtzman of the consulting firm HITprivacy.

"When collecting this type of sensitive personally identifiable information, the organization should carefully assess why the information is being collected and minimize access to the data to only those with an appropriate role in the organization," he says.

Such organizations should not create "unnecessary or duplicative collections" of sensitive PII, including information stored on backup servers, network drives or unencrypted drives or applications, according to Holtzman. He recommends that organizations "securely delete electronic files containing sensitive PII" that is no longer needed, wherever it is stored.

Valuable Targets

Healthcare professionals are especially vulnerable for identity theft and financial fraud, Holtzman says.

That's because many miss the warning signs that someone is misusing their personal information and committing fraud. "For example, a dentist practicing independently may not be attentive to careful review of banking and other financial statements that would reveal changes to direct deposit amounts for income received through their dental practice or unauthorized transfers to debiting the account," he says.

"They may not see notices from government agencies about claims filed using their provider number, a notice from the IRS that they didn't pay income taxes on the fraudulent claims or that their Social Security number was used on another tax return, or get collection notices or bill for products or services they didn't receive," he adds.

Steps to Take

Erick Galinkin says that for Black Basta and other extortion groups - especially those that practice double extortion - critical advice "is pretty well-trodden, but worth emphasizing." It includes:

  • Back up data. "The leak can be damaging, but ransomware that isn't double extortion is still out there and backups will help," he says.
  • Look for signs of lateral movement in the environment. "It's rare that attackers land on one machine that has all the data they want, so they'll need to move around. Stopping the lateral movement is really effective."
  • Keep systems patched. "Attackers are quick to adopt new exploits, and they're happy to take advantage of delays in your patch processes," Galinkin says.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.