Recently, the American Dental Association (“ADA”) confirmed that the organization was the target of a ransomware attack. As a result of the attack, an unauthorized party gained access to the sensitive consumer data contained on the ADA’s network. The ADA has not publicly disclosed which data types were leaked; however, the hackers posted some of the stolen data on the dark web. The posted data appears to belong to dentists and includes W2 forms, non-disclosure agreements, accounting spreadsheets, and information on ADA members. On July 15, 2022, ADA filed official notice of the breach and sent out data breach letters to all affected parties.
If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the American Dental Association data breach, please see our recent piece on the topic here.
What We Know About the American Dental Association Data Breach
According to an official notice filed by the organization, on around April 21, 2022, the ADA was the target of a “sophisticated cyber-attack involving ransomware.” This disrupted the normal function of the ADA computer system, which triggered the ADA to launch an investigation into the incident with the assistance of outside cybersecurity specialists. About a week later, on April 27, 2022, the ADA learned that an unauthorized party was able to access and possibly steal data from the ADA servers.
Upon discovering that sensitive consumer data was accessible to an unauthorized party, the American Dental Association reviewed the leaked files to determine what information was compromised and who was affected. The ADA completed the process on June 10, 2022.
While the ADA does not indicate which data types were leaked, third-party news outlets report locating some of the leaked data on the dark web. According to one source, the leaked data is comprised of 2.8 gigabytes of data related to W2 forms, non-disclosure agreements, accounting spreadsheets, and other personal information about ADA members. However, the hackers explain that the leaked data represents only about 30 percent of the data stolen in the attack.
On July 15, 2022, American Dental Association sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.
More Information About American Dental Association
Founded in 1859, the American Dental Association is a nonprofit dental association located in Chicago, Illinois. The ADA’s stated mission is to help dentists succeed and support the advancement of public health. The ADA also advocates for public health by focusing on issues such as access to care. The American Dental Association also creates standards for the sale and marketing of dental products through the “seal of acceptance.” The ADA charges $14,500 to evaluate a product and an annual fee of $3,500 to maintain the seal. The American Dental Association has more than 161,000 members and generates over $57 million in annual revenue.
Ransomware Attacks Remain a Leading Cause of Data Breaches
Ransomware attacks are one of the most common ways cybercriminals orchestrate attacks designed to obtain consumer data. In fact, according to the Identity Theft Resource Center (“ITRC”), the number of ransomware attacks more than doubled between 2020 1nd 2021, with 158 ransomware attacks in 2020 and 321 in 2021. While 321 attacks may not sound alarming, every ransomware attack can affect thousands of individuals. Overall, the ITRC reports that over 41 million people were victimized by ransomware attacks in 2021 alone.
Ransomware attacks have been around for decades; however, over recent years, the number of ransomware attacks has surged compared to other cyberattacks. This is partly because technological developments now allow cybercriminals to target the most valuable data types.
In a typical ransomware attack, a hacker installs malicious software on a victim’s device. Usually, this was done through an email phishing attack or by placing malicious code on the back-end of an organization’s website. The malicious software encrypts the data on the device, preventing the victim from logging in. When the victim attempts to log in, they are met with a message from the hackers demanding a ransom if they want to regain access to their computer network.
However, in recent years, hackers have started to threaten to publish the stolen data on the dark web if the ransom is not paid. While not every ransomware attack results in consumer data being published to the dark web, that isn’t a chance that most organizations (or consumers) are willing to take. Thus, the threat of publishing data adds to an organization’s incentive to pay the ransom.
Given the frequency and risks of these attacks, it is important for both consumers and organizations in possession of consumer data to understand what ransomware attacks are, how they can be prevented, and what can be done to limit their effects, including identity theft and other frauds.