Insurer Dominion National Reports Server Hack That Began August 2010 – Almost Nine Years Ago
Dominion National, an insurer and administrator of dental and vision benefits, announced that their servers containing the data of current and former members were hacked. The network data breach began in August 2010. Members of Dominion National and Avalon vision, plus current and former members of plans Dominion provides administrative services for are affected. The cyber security investigation was completed in April 2019, but it is not clear when it began. Data on the compromised servers includes payment information, plan enrollment and demographic data of current and former vision plan subscribers and data of individuals of dental and vision benefits. No figures on the numbers of subscribers and providers affected has been given.
Dominion National’s investigation which concluded on April 24, 2019 found that patient and provider data on their servers was accessed beginning as early as August 25, 2010 – a period of almost nine years.
Hackers accessed enrollment and demographic data of current and former members of the insurer’s vision plan, and data of individuals of dental and vision benefits. The compromised data could include names, Social Security numbers, addresses, birthdates, member identification numbers, group numbers, subscriber numbers, and member email addresses. The hacked servers also contained data of plan producers and participating healthcare providers. The provider data may include names, birthdates, and Social Security numbers or taxpayer identification numbers. The compromised producer information may include names and Social Security numbers.
Members who enrolled online at https://www.dominionnational.com/ may have also had bank account and routing numbers compromised.
Dominion National announced the hack about 60 days after the investigation concluded. According to the Health Insurance Portability and Accountability Act of 1996 (HIPPA) organizations are compelled to report data breaches within 60 days of discovery. It is not clear when Dominion National first discovered the server compromise. Dominion National has reported the security incident to the Federal Bureau of Investigations (FBI) and hired a third-party cyber security firm. It was discovered that the unauthorized server access started as early as 2010.
The company’s announcement of the hack stated, “On April 24, 2019, through our investigation of an internal alert, with the assistance of a leading cyber security firm, we determined that an unauthorized party may have accessed some of our computer servers. The unauthorized access may have occurred as early as August 25, 2010.”
After learning of the data breach, the affected servers were secured, and enhanced monitoring and alerting software was added. The FBI was contacted as well.
This comes on the heels of two other massive data breaches. American Medical Collection Agency was hacked earlier this year over a period of four months. The personal data of almost twenty million customers or Quest Diagnostics and LabCorp was stolen by hackers some of which was already found on the dark web. The hacked data included payment information, addresses, birthdates, and healthcare information. The hacked company was a third-party collection agency working for Quest, LabCorp, and other medical providers. Initially, American Medical offered free credit monitoring as a service to affected customers but then declared bankruptcy due to loss of business after the cyber security attack announcement.
It is unknown if any Dominion National data has been found for sale on the dark web. Dominion National is not stating how many people are affected by the data breach.
Dominion National Offers Free Credit Monitoring
Dominion National began to notify members about the data compromise in writing as of June 21, 2019 although the company has not stated how many are affected. Affected individuals will receive two years of credit monitoring and fraud protection services with ID Experts MyIDCare. To enroll in credit monitoring and fraud protection, contact Dominion National’s incident response line or visit their website at https://dominionnationalfacts.com/
Michelle writes about cyber security, data privacy focusing on social media privacy as well as how to protect your IoT devices. She has worked in internet technology for over 20 years and owns METRONY, LLC. Michelle earned a B.S. in Engineering from Rensselaer Polytechnic Institute. Michelle published a guide to Cyber Security for Business Travelers