Dominion National is notifying patients of a data security incident that first stated in 2010 and has affected nearly 3 million members.
Dominion National is a health insurer, health plan administrator, and administrator of dental and vision benefits based in Virginia. Staff at the organization discovered the breach after an internal alert on their system notified them of suspicious activity. After an initial investigation, Dominion concluded that their system had suffered a data breach.
Dominion hired a third-party cybersecurity firm to perform a comprehensive forensic analysis of the affected systems. The investigators reviewed the affected data and confirmed that hackers might have compromised the sensitive information of current and former members of Dominion National and Avalon Vision plans. The investigators also concluded that the PHI of individuals who are members of health plans for which the company provides administration services might have also been affected.
Data relating to individuals affiliated with the organizations that the company administers dental and vision benefits for, plan producers, and participating healthcare providers were also potentially compromised.
Dominion discovered that the hackers first gained access to the data nearly nine years ago, on August 25, 2010. The investigation into the cyberattack concluded on April 24, 2019.
Per HIPAA’s Breach Notification Rule, Dominion has sent breach notification letters to all affected individuals on June 21, 2019. As individuals whose data is compromised in such breaches are at higher risk of becoming victims of identity fraud, Dominion has offered two years of membership to credit monitoring and identity theft protection services.
While system access was confirmed, Dominion National uncovered no evidence to suggest any patient data was accessed, acquired or misused by the individual responsible for the attack.
Dominion has since stated that it has blocked unauthorized access to all affected servers and has enhanced its monitoring and alerting software.
The types of information involved varied from individual to individual but may have included names along with addresses, email addresses, dates of birth, Social Security numbers, bank account and routing numbers, taxpayer ID numbers, member ID numbers, group numbers, and subscriber numbers.
Dominion has also submitted a breach report to the Department for Health and Human Services’ Office for Civil Rights. According to the summary published on OCR’s Breach Portal, 2,964,778 plan members have had their PHI exposed.
“We recognize the frustration and concern that this news may cause, and rest assured we are doing everything we can to protect your information moving forward,” Dominion National President Mike Davis, said in a statement. “We are committed to making sure you get the tools and assistance you need to help protect your information.”