Delta Dental of California and affiliates1 (“Company”) is informing you about a data security incident that may have impacted the personal information, including protected health information (“PHI”) of individuals associated with your organization. We take the privacy and security of your organization’s information seriously, and sincerely apologize for any concern or inconvenience this may cause you. This letter provides information about what happened, our investigation, what we are doing in response, and immediate action needed from you.
What Happened?
Progress Software announced a previously unknown vulnerability within their widely used MOVEit file transfer software program. This vulnerability led to a global data security incident that is reported to have impacted many organizations, including corporations, government agencies, insurance providers, pension funds, financial institutions, state education systems and more.
On June 1, 2023, the Company learned unauthorized actors exploited a vulnerability affecting the MOVEit file transfer software application. Immediately after being alerted of the incident, we launched a thorough investigation and took steps to contain and remediate the incident. We stopped access to the MOVEit software, removed the malicious files, conducted a thorough analysis of the MOVEit database, applied the recommended patches provided by the MOVEit software company, Progress Software Corporation, and reset administrative passwords to the MOVEit system. We also enhanced unauthorized access monitoring related to MOVEit Transfer file access, malicious activity, and ransomware activity.
On July 6, 2023, our investigation confirmed that Company information on the MOVEit platform had been accessed and acquired without authorization between May 27, 2023 and May 30, 2023. At that time, we promptly engaged independent third-party experts in computer forensics, analytics and data mining to determine that information was impacted and with whom it is associated.
This extensive investigation and analysis of the data recently concluded and was a critical component in enabling us to identify specific personal information that was acquired from the MOVEit platform. Upon that determination, we have worked diligently to identify any impacted individuals to provide notification. On November 27, 2023, we determined that personal information, including PHI, such as information shared in connection with dental procedures and claims payments, associated with your organization was affected. In addition to our own investigation, we have also notified law enforcement of the incident and have been cooperating with them since
What We Are Doing:
With your authorization, we will provide notice to each of the affected individuals whose information was impacted and offer identity monitoring services. Please see the “Action Needed” section below for information we need from you.
Data security is a priority for our Company. We apply security patches for known vulnerabilities provided by third-party software vendors, regularly update our capabilities to monitor potential security threats and consistently manage access to our systems and data.
Action Needed:
Under applicable law, you or your organization may be required to provide notice of this incident to potentially affected individuals or certain regulators. To formally delegate the notification of impacted individuals – and the regulatory entities associated with this incident – to the Company, you must opt-in on the Kroll Notification Navigator Portal by January 26, 2024. We will not take any action described above without authorization.
You have until January 26, 2024 to take advantage of these services. The Company will mail multiple batches of individual notifications, which means you should only opt-in to individual notices (Step 3) and confirm the data file of impacted individuals (Step 4) if you are ready for the Company to notify those individuals. You can complete authorization for HHS/OCR and state reporting obligations (Steps 5 and 6) later, but once Steps 3 and 4, authorization for individual notices, are complete, the impacted individual notification process begins shortly thereafter.
We are unable to provide you with legal advice, and recommend you discuss the contents of this letter and your organization’s potential notification obligations with your legal counsel. In the event you determine that notification to the associated individuals is appropriate, we will do all of the following upon your authorization:
•For those individuals for whom we have an address, we will mail notification letters to the individuals impacted, notifying each individual of the incident and steps they can take to avoid potential identity theft. See attached individual notification letter for adults that we will mail.
•For the individuals with a Social Security number potentially involved in the incident, we will provide these individuals with access to 24 months of identity monitoring services, which includes credit monitoring, $1 Million identity fraud loss reimbursement, fraud consultation and identity theft restoration.
•We will include in the notification letter a toll-free telephone number for individuals to call to activate identity monitoring services and if they have further questions about the incident.
•If required, we will notify the Department of Health and Human Services Office for Civil Rights, and any required state regulators on your behalf.
•You may have additional notification obligations to regulators under data breach notification laws. You may wish to discuss such potential obligations with your counsel. If you direct us, we will make the state notifications.
Contact Information
If you have questions about this incident or the information in this letter, please call:
- Enroll.krollmonitoring.com
- (866) 983-8645