Data Breach Likely Compromised Private Consumer Information for 10% of Delaware’s Population
Data on medical providers could be among the accessed records
Delaware’s insurance commissioner announced on June 24 that 95,000 people, as much as 10% of the small Atlantic coast state’s population, may have been impacted by a data breach.
Commissioner Trinidad Navarro said records held by Dominion National, a dental and vision benefits administrator, were possibly accessed by unknown outside parties as early as Aug. 25, 2010.
In a press release put out by the Delaware Department of Insurance, Dominion National stated that there was “no evidence that any information was in fact accessed, acquired or misused.”
Nevertheless, the commissioner’s office announced that Dominion National is providing two years of free credit monitoring and fraud protection services for all individuals potentially impacted by the incident.
The string of events kicked off on April 24, 2019, when Dominion National received an internal alert and conducted its own investigation. The benefits administrator discovered that servers containing enrollment data, demographic details, and personal information of consumers, plan producers and health care providers may have been accessed by a third party.
Dominion reported the breach to the Delaware Department of Insurance, cleaned the affected servers and conducted a comprehensive review of data that was stored on or could have been accessible from those servers.
“We recognize the frustration and concern that his news may cause, and rest assured we are doing everything we can to protect your information moving forward.” — Mike Davis, president, Dominion Insurance
The department of insurance is now conducting its own investigation to determine whether appropriate safeguards were in place and if private consumer information was properly handled.
Types of records that could have been accessed in the breach include names, addresses, dates of birth, e-mail addresses, Social Security numbers, taxpayer ID’s, bank account and routing numbers, member ID groups, group numbers and subscriber names.
“With highly sensitive data from home addresses, social security numbers and bank details exposed through the breached servers, the length of time this information was open to unauthorized access gives cause for great concern,” said Fraser Kyne, the CEO of information security firm Bromium.
“It’s unclear how the original breach occurred in this case,” Kyne said. “However, the most common attack vectors are e-mail and browsers, accessed through the endpoint. From there, hackers can make their way through the systems to get to their target- in this case, the company’s servers,” Kyne said.
“Trying to detect an attack like that in real time is a fallible approach, and once a hacker has made its way they can deploy all manner of disguises to stay under the radar,” Kyne added.
The records could have been those of Dominion National enrollees, or enrollees in insurance plans for which Dominion National was a third party administrator.
According to the company’s web site, Dominion National has more than 900,000 customers, including municipalities, employer groups and individuals.
In a statement on the company’s web site, Dominion National President Mike Davis said the data may include enrollment and demographic information for current and former members of Dominion National and Avalon Vision and “current and former members of plans we provide administrative services for.”
“In addition, the data may include personal information for producers who placed Dominion National and Avalon vision policies and health care providers participating in the insurance programs of Dominion National,” his statement read.
Davis said the FBI has been notified of the breach and that his team is working with the Bureau as it conducts its investigation.
“Safeguarding the privacy of your personal information is a top priority for us and we make every effort to protect your information,” Davis said.
“We recognize the frustration and concern that his news may cause, and rest assured we are doing everything we can to protect your information moving forward,” he added. &