More than 37,500 Delaware agents, policyholders, beneficiaries impacted

Following the receipt of additional data breach reports from insurers, including those related to the breach of the MOVEit file transfer services system used by third-party vendors, the Delaware Department of Insurance is updating this consumer alert and will be updating the online posting as information is received.

Residents who may be agents, policyholders, or beneficiaries of the following insurers should be aware that their personal data may have been compromised, and should watch for contact:

As shared during a June 26 consumer alert, the MOVEit data breach and other data security events trigger Delaware’s Insurance Data Security Act, which in addition to proactive data security measures and other requirements, mandates the following occur:

• Investigation of a cybersecurity event and correction of compromised information systems
• Detailed reporting to the Insurance Commissioner
• Notification to consumers within 60 days, except in cases where federal law or law enforcement agencies require or request modified timelines
  Consumers must be provided credit monitoring services at no cost for a period of at least one year in addition to receiving information regarding freezing one’s credit

Insurance Commissioner Trinidad Navarro encouraged consumers to protect their identities and reassured residents that the breach will be investigated thoroughly. “I take any breach of personal information very seriously, and encourage consumers affected to utilize the identity and credit protection services offered. Our Market Conduct staff, likely alongside investigators across the country, will work to investigate the situation and assess if appropriate safeguards were in place for the handling of data.”

The department worked with the General Assembly in 2019 to pass the Insurance Data Security Act and was one of the first states to implement the National Association of Insurance Commissioner’s model law. The law is an effort to fortify security measures and protect consumer data. It requires insurance companies and their vendors to follow certain data protection and breach protocols, including notification. The department may investigate violations of the Act and levy penalties accordingly.

Consumers should consider freezing their credit report due to the incident.

[Last Update: August 16, 2023 – Insurer and Producer added; Impact counts amended]

Insureds, agents, and beneficiaries should watch for notification

On June 16, PBI Research Services, a third-party vendor for Genworth Financial, disclosed a data breach that impacted the personal information of an estimated 2.5-2.7 million individuals, including about 8,000 Delaware residents. At this time, the company has indicated that the potentially compromised information may include agents, policyholders, and beneficiaries’ data including names, contact information, dates of birth, social security numbers, and policy numbers. Consumers are urged to be vigilant in protecting their data, as beneficiaries may not be aware of policies that contain their information, particularly in regard to life insurance benefits.

This event triggers Delaware’s Insurance Data Security Act, which in addition to proactive data security measures and other requirements, mandates the following now occur:

• Investigation of a cybersecurity event and correction of compromised information systems
• Detailed reporting to the Insurance Commissioner
• Notification to consumers within 60 days, except in cases where federal law or law enforcement agencies require or request modified timelines
• Consumers must be provided credit monitoring services at no cost for a period of at least one year in addition to receiving information regarding freezing one’s credit

Insurance Commissioner Trinidad Navarro encouraged consumers to protect their identities and reassured residents that the breach will be investigated thoroughly.

“I take any breach of personal information very seriously, and encourage consumers affected to utilize the identity and credit protection services offered. Our Market Conduct staff, likely alongside investigators across the country, will work to investigate the situation and assess if appropriate safeguards were in place for the handling of data.”

The department has received a relevant policyholder list, including consumers of long-term care, life insurance, and annuities lines, which investigators may use to check company compliance with the Act. Consumer service representatives may also use this information to help concerned agents, policyholders, and beneficiaries who contact the office.

This incident was a part of a significant cybersecurity attack involving the MOVEit file transfer system, with the breach likely occurring May 29-30 before a corrective action was implemented on June 2. The department has not at this time been notified of additional insurer or insured information being accessed as part of this breach.

The department worked with the General Assembly in 2019 to pass the Insurance Data Security Act and was one of the first states to implement the National Association of Insurance Commissioner’s model law. The law is an effort to fortify security measures and protect consumer data. It requires insurance companies and their vendors to follow certain data protection and breach protocols, including notification. The department may investigate violations of the Act and levy penalties accordingly.

Consumers can visit Genworth.com/MOVEit for updates and should consider freezing their credit report due to the incident.

Devices being used to treat chronic conditions, COVID-19

Delaware Insurance Commissioner Trinidad Navarro has released a consumer alert for users of respiratory devices manufactured by Philips. An estimated 4 million Philips Continuous Positive Airway Pressure (CPAP) and Bi-Level Positive Airway Pressure (BiPAP or BiLevel PAP) devices, as well as mechanical ventilators manufactured before April 26, 2021 are being recalled due to potential health risks associated with the sound abatement foam in the devices that may degrade and be inhaled, and could contain cancer-causing chemicals.

The Delaware Department of Insurance is issuing this notice after the company’s recall notification and lack of communication to consumers and facilities has caused concern, particularly due to the necessity of devices in the treatment of both chronic conditions as well as facility-based usage. Recalled devices include those listed as providing respiratory treatment or support for COVID-19 patients.

While the recall notice urges immediate discontinuation of device use if possible, some individuals require the use of CPAP, BiPAP, and ventilator devices and may face serious medical issues, including the possibility of death, if they do not have access to a machine. Residents using these medically necessary devices should contact their physician to discuss the best path forward for their individual needs and register in the Philips recall system online or call 1-877-907-7508 to begin a claim for replacement or financial restitution. Users should not make any changes to their equipment or treatment plan without discussing with a physician. Doctors are encouraged to proactively communicate with their patients, and facilities should check all machines.

At this time, the company has not provided a replacement or repair timeline after issuing notice in June that the sound abatement foam in these devices may degrade, be ingested, and create additional respiratory problems, and could be releasing carcinogenic or otherwise hazardous chemicals into the air pathway. The Department of Insurance encourages insurers to assist policyholders in any way possible during this situation.

Consumers should be wary of non-marketplace plans that offer limited benefits

Insurance Commissioner Trinidad Navarro is joining commissioners across the country in cautioning residents who may be considering purchasing an insurance plan that does not adequately meet their needs or comply with Affordable Care Act (ACA) benefit requirements. The Special Enrollment Period, which started February 15, is a great time to review and enroll in insurance plans offered on the Marketplace. However, non-compliant off-marketplace plans may be heavily advertised during this period, and may appear attractive despite often being more expensive and far less comprehensive.

One health insurance alternative that is being marketed quite a lot is short-term limited benefit health insurance. This not a recommended form of coverage, and these plans do not provide coverage for pre-existing medical conditions – anything that a person has been diagnosed with or sought treatment for within the past five or more years. Limited benefit plans only cover a set number of doctor visits for a limited dollar amount and may have very high deductibles and copay requirements. These plans do not qualify for or replace a major medical, ACA-approved health insurance policy, and policies are only effective for three months and are not renewable.

Other products contain similar flaws that could put the consumer at risk of significant medical bills, including lack of coverage critical needs. Coverage for prescriptions, pre-existing conditions, surgery and outpatient procedures, hospital and emergency visits, maternity and pediatric care, and mental and behavioral healthcare could all be excluded from these plans. Non-insurance products, such as health care sharing ministries, are not regulated, and as such are not required to cover a person’s needed care. Trade association plans and other limited plans can offer low-quality coverage that does not meet ACA standards and may not meet a consumer’s needs. None of these plans offer the financial subsidies and tax credits of ACA plans, which about 86 percent of Delaware enrollees are eligible for.

Delaware consumers can ask themselves questions to better recognize problematic plans:

• Is the policy underwritten by a reputable insurer?
• Does this policy cover pre-existing medical conditions?
• Are plan details, such as coverage for maternity care, available in writing?
• Is the plan found on an official Marketplace website, like HealthCare.gov or ChooseHealthDE.com?
• Can a person enroll without any auxiliary payment, such as an enrollment fee, subscription, or membership fee?

If the answer to any of these questions is no, the plan may not be legitimate, and the consumer should reconsider the policy. Even if these red flags are not found, residents should scrutinize plan content, and, if working with an agent or broker, verify their license with the department.

While the Delaware Department of Insurance has not seen significant increases in fraudulent contact or limited benefit plan sales, the pandemic has emboldened bad actors who aim to capitalize upon unusual circumstances, including the Special Enrollment Period.

The Special Enrollment Period was authorized by President Biden and will allow Marketplace enrollment through May 15 on HealthCare.gov. Individuals who are uninsured, regardless of the reason for their lack of insurance, can enroll during this period. Existing Marketplace participants have the option to move to another plan. Local coverage navigators are available to direct consumers to appropriate plans, visit the Choose Health DE website to get connected to a local navigator, or call (800) 318-2596.

More information about the Special Enrollment Period