American Dental Association says April cyberattack involved ransomware

The American Dental Association (ADA) is sending out breach notification letters confirming that it suffered a ransomware attack in April.

The professional association for dentists – which has more than 160,000 members – would only say it was facing a cyberattack in comments to The Record on April 27. 

At the time, the organization said it discovered the attack on April 21 when certain systems — including its Aptify email application, telephone network and web chat — were disrupted.

The IT team took the affected systems offline and began the investigation. The Record was contacted by one student who was unable to register for his dental school exam because of the attack.

The organization said at the time that “no member information or other data has been compromised."

But in breach notification letters now being sent out, ADA executive director Raymond Cohlmia admitted that the incident was a ransomware attack, confirming reports from both Emsisoft analyst Brett Callow and the independent MalwareHunterTeam, which tracks ransomware incidents, that the Black Basta ransomware group claimed credit for the attack.  

“On or about April 21, 2022, ADA experienced a disruption to certain computer systems following a sophisticated cyber-attack involving ransomware,” Cohlmia said. “On or about April 27, 2022, we determined that certain information on ADA’s systems was accessed and/or acquired by an unauthorized actor.” 

According to Cohlmia, the ADA’s investigation into “what information was stored on impacted systems at the time of the incident and to whom that information relates” only finished on June 10. 

The ADA attributed the lengthy delay in reporting the incident to those affected because they needed time to “locate address information for the potentially affected individuals.”

The sample breach notification letters do not say what “personal information” was involved in the breach. An ADA spokesperson did not respond to questions about what data was held on their servers. 

The organization notes in the letter that law enforcement was contacted about the attack and victims are being offered one year of identity protection services through Experian.

In April, Black Basta said it leaked 30% of the 2.8 GB of data it claims to have stolen from the ADA. The attackers said the data includes financial information, spreadsheets, W-2 forms and troves of information on ADA members. 

Black Basta later removed the ADA from its list of victims, according to Callow, which sometimes happens when a ransom is paid. The ADA did not respond to requests for comment about whether it paid a ransom.

The ransomware gang is relatively new and the ADA was the first organization it added to its leak site.