Customers of Dominion National dental and vision insurer and administrator started to receive notifications about a potential intrusion on the company's computer systems that may have exposed personal information to an unauthorized party.
The breach may have occurred almost nine years ago, on August 25, 2010, and was uncovered only recently following an internal alert. After the discovery, steps were taken to clean the affected servers.
Few details have been made public, but the company assesses that the systems accessed without authorization included information like names and postal addresses, dates of birth, email addresses, social security numbers, taxpayer IDs, bank details (account, routing numbers), as well as member ID, group, and subscriber numbers.
Data belonging to producers and healthcare providers was also present on the affected servers, informs the insurer.
"We have undertaken a comprehensive review of the data stored or potentially accessible from those computer servers and have determined that the data may include enrollment and demographic information for current and former members of Dominion National and Avalon vision, and current and former members of plans we provide administrative services for," reads a statement from the company.
The discovery was made on April 24 and prompted an investigation that did not uncover undeniable evidence that the intruder accessed, copied, or misused the information.
As per the Health Insurance Portability and Accountability Act (HIPAA), entities it covers have to report a security breach incident within 60 days of the discovery; reasonable delay does not apply to this.
Dominion National contacted the FBI about the security incident and will cooperate with authorities for the run of their investigation.
A phone line is open Monday through Friday for twelve hours each day starting 8 a.m. Eastern for anyone looking for more details about the incident.
Individuals believing they were affected by this breach but did not receive a notification letter by September 23, 2019, should contact Dominion National at the number available in their online statement.
Comments
Arctific - 4 years ago
In 2010, the FBI had a firms with full forensic data showing one firm was under continuous attack for 10 years before discovery. Back then the median time was 415 days from a sample of 2500 firms the FBI was working with. This would lead to the view that a firm is only has a 0.17% chance per day of discovering it is under active attack on any given day back then. Taking Verizon studies as a current improvement near 183 days on average before discovery, things have improved to a 0.38% odds per day of discovering that a firm is under active attack.
But, this also makes lack of discovery for 9 years much worse than industry peers today than it used to be. 99.9996% worse than other firms. At some where above 790 days of undiscovered attack, one can become 95% sure that lack of discovery of active attack is not a matter of bad luck. It becomes worthwhile to look for a bad process or contributing factor limiting the possibility of discovery.
To the credit of Dominion National's Brad Terry, Director, Legal, Regulatory and Compliance, the problem got reported. Improvements must start somewhere. The question of how it went undetected and what process changes must be made to business as usual operations would be the key thing to look for.