Delays impacting operations, including payments and insurance transactions

Earlier this month, one of the nation’s largest health care companies experienced a cybersecurity attack immobilizing much of the industry. Change Healthcare, a subsidiary of UnitedHealth Group that also operates as Optum Solutions, states that it interacts with 1 in every 3 patient records. Their systems are integral in many areas of pharmacy operations, provider claim processing, billing and cost estimation services, patient eligibility verifications, and other clinical decision supports.

On February 21, 2024, Change Healthcare locked their systems in an attempt to limit the impact of the cybersecurity attack discovered that day. The ongoing disruption has created adverse impacts for providers and pharmacies, generating delays for consumers, limiting the ability to process payments and consumers’ insurance, and requiring complex workarounds or movement to new systems. It is believed that the attack was completed by a foreign hacking group. Federal entities are involved in the investigation.

“The implications of this cyberattack are wide-reaching and not yet fully known. We hope that raising awareness of this issue will encourage consumers to be patient with any delays in clinical and pharmacy activities. Please know that all parties are working as hard as they can to continue operations despite this issue. If you are in urgent need of medication, or will be soon, please get in touch with your local pharmacy before visiting. You may need to use a different pharmacy, or plan to pay in cash,” said Insurance Commissioner Trinidad Navarro. “No timeline currently exists for resolution, and health care providers and pharmacies have been encouraged to remain disconnected from the impacted systems.”

Insurers have been in contact with the Delaware Department of Insurance about this issue and are in communication with contracted providers to inform them of available portals and processes. The Delaware Insurance Data Security Act has not yet been triggered, but all parties continue to watch the situation closely. Additionally, the department will be closely monitoring any potential prompt payment compliance issues that may arise as a result of this situation.

At this time, there is no indication that consumer data or insurer data has been impacted. However, consumers are still encouraged to engage in personal cybersecurity practices at an enhanced level. To protect from a cybersecurity attack, install anti-malware protection and use complex passwords that cannot be easily guessed. Do not click on suspicious links in emails or pop-ups, including those purporting to be from health care services, providers, insurers, and pharmacies. Residents might consider freezing their credit report to protect data.

View Change Healthcare’s Incident Page

Register for Activities Statewide Throughout October 2023

Dover, Del. — It has been two decades since the federal launch of October as Cybersecurity Awareness Month. Over the past twenty years, cybersecurity protection strategies have changed drastically. In response to the ever-evolving cyber landscape, Governor John Carney and Lieutenant Governor Bethany Hall-Long are providing their support by again proclaiming October as Delaware’s Cybersecurity Awareness Month. This allows resources to be made available to provide free events including informational tables, presentations, workshops, and other activities throughout the State to help Delawareans of all ages to learn how to improve their security posture.  These programs cover topics on Protection (social media security and privacy information), Device Security (hands-on instruction on setting up device security on Android and Apple devices), and Detection (identifying, reporting, and learning about current scams).  Cyber Security Awareness Month will culminate with the 14^th Annual Secure Delaware Workshop on Tuesday, October 24, 2023, from 8:00 a.m. to 4:00 p.m. at the University of Delaware’s Clayton Hall.

“We must learn to protect ourselves in the digital age and it takes all of us to help keep our data secure. I encourage everyone to take advantage of the free activities and resources made available during Cybersecurity Awareness Month,” said Governor John Carney. “I want to thank the Delaware Department of Technology and Information for their efforts in educating the public of the risks and keeping Delaware safe from cyber-attacks.”

“We love to see advancements in technology for the convenience to the public and accuracy of data for business uses, but there is always an inherent risk that the technology can be used criminally. We’ve seen recent occurrences of cybersecurity attacks in the news, but much more common are incidents of credit card and identity theft — all of which can have devastating impacts,” said State of Delaware CIO Gregory Lane. “Bad actors only get more sophisticated, which is why it is so important that everyone learns how to protect themselves and stay safe online. Delaware Cybersecurity Awareness Month events provide opportunities that everyone can leverage to learn to be more vigilant.”

Delawareans of all ages are encouraged to join the events offered throughout October, including the Cybersecurity Awareness Month finale event — the 14^th annual Secure Delaware Workshop. Presented by the Delaware Department of Technology and Information (DTI) along with the Delaware League of Local Governments, Delaware Small Business Development Center, and the University of Delaware; the 2023 Secure Delaware Workshop provides training for businesses, students, and government employees that work, study, or live in Delaware. This free, in-person event is being held on Tuesday, October 24^th from 8:00 a.m. to 4:00 p.m. at the University of Delaware’s Clayton Hall and will include two keynote speakers and nine breakout sessions designed to have something for everyone.  Whether you are a student just getting into the field and want to learn more about creating your own cyber range, a business manager concerned with the newest cyber laws and cyber insurance changes, or a long-term IT professional interested in attack simulation, deception technology, or ChatGPT, this conference has something for you.  This event offers the perfect opportunity to network with cyber professionals and technology vendors.

To learn more about cyber events happening in Delaware including Secure Delaware Workshop 2023 with registration information, visit the event page at https://digiknow.dti.delaware.gov/events/. There is no cost to attend any State of Delaware’s Cybersecurity Awareness Month activities. Please note that registration is limited for each of the events and final registration to attend the Secure Delaware Workshop closes October 6^th.

###

Media Contact:

Christina Dirksen, Strategic Communications Manager, DTI
(302) 739-9736 w Christina.Dirksen@state.de.us

About the Delaware Department of Technology and Information

The Department of Technology and Information (DTI) is the state’s central IT organization, chartered to deliver core services to other state organizations and exercise governance over the technology direction and investments of the state. DTI provides enterprise services that enable other organizations to effectively fulfill their missions.

More than 37,500 Delaware agents, policyholders, beneficiaries impacted

Following the receipt of additional data breach reports from insurers, including those related to the breach of the MOVEit file transfer services system used by third-party vendors, the Delaware Department of Insurance is updating this consumer alert and will be updating the online posting as information is received.

Residents who may be agents, policyholders, or beneficiaries of the following insurers should be aware that their personal data may have been compromised, and should watch for contact:

As shared during a June 26 consumer alert, the MOVEit data breach and other data security events trigger Delaware’s Insurance Data Security Act, which in addition to proactive data security measures and other requirements, mandates the following occur:

• Investigation of a cybersecurity event and correction of compromised information systems
• Detailed reporting to the Insurance Commissioner
• Notification to consumers within 60 days, except in cases where federal law or law enforcement agencies require or request modified timelines
  Consumers must be provided credit monitoring services at no cost for a period of at least one year in addition to receiving information regarding freezing one’s credit

Insurance Commissioner Trinidad Navarro encouraged consumers to protect their identities and reassured residents that the breach will be investigated thoroughly. “I take any breach of personal information very seriously, and encourage consumers affected to utilize the identity and credit protection services offered. Our Market Conduct staff, likely alongside investigators across the country, will work to investigate the situation and assess if appropriate safeguards were in place for the handling of data.”

The department worked with the General Assembly in 2019 to pass the Insurance Data Security Act and was one of the first states to implement the National Association of Insurance Commissioner’s model law. The law is an effort to fortify security measures and protect consumer data. It requires insurance companies and their vendors to follow certain data protection and breach protocols, including notification. The department may investigate violations of the Act and levy penalties accordingly.

Consumers should consider freezing their credit report due to the incident.

[Last Update: August 16, 2023 – Insurer and Producer added; Impact counts amended]

Insureds, agents, and beneficiaries should watch for notification

On June 16, PBI Research Services, a third-party vendor for Genworth Financial, disclosed a data breach that impacted the personal information of an estimated 2.5-2.7 million individuals, including about 8,000 Delaware residents. At this time, the company has indicated that the potentially compromised information may include agents, policyholders, and beneficiaries’ data including names, contact information, dates of birth, social security numbers, and policy numbers. Consumers are urged to be vigilant in protecting their data, as beneficiaries may not be aware of policies that contain their information, particularly in regard to life insurance benefits.

This event triggers Delaware’s Insurance Data Security Act, which in addition to proactive data security measures and other requirements, mandates the following now occur:

• Investigation of a cybersecurity event and correction of compromised information systems
• Detailed reporting to the Insurance Commissioner
• Notification to consumers within 60 days, except in cases where federal law or law enforcement agencies require or request modified timelines
• Consumers must be provided credit monitoring services at no cost for a period of at least one year in addition to receiving information regarding freezing one’s credit

Insurance Commissioner Trinidad Navarro encouraged consumers to protect their identities and reassured residents that the breach will be investigated thoroughly.

“I take any breach of personal information very seriously, and encourage consumers affected to utilize the identity and credit protection services offered. Our Market Conduct staff, likely alongside investigators across the country, will work to investigate the situation and assess if appropriate safeguards were in place for the handling of data.”

The department has received a relevant policyholder list, including consumers of long-term care, life insurance, and annuities lines, which investigators may use to check company compliance with the Act. Consumer service representatives may also use this information to help concerned agents, policyholders, and beneficiaries who contact the office.

This incident was a part of a significant cybersecurity attack involving the MOVEit file transfer system, with the breach likely occurring May 29-30 before a corrective action was implemented on June 2. The department has not at this time been notified of additional insurer or insured information being accessed as part of this breach.

The department worked with the General Assembly in 2019 to pass the Insurance Data Security Act and was one of the first states to implement the National Association of Insurance Commissioner’s model law. The law is an effort to fortify security measures and protect consumer data. It requires insurance companies and their vendors to follow certain data protection and breach protocols, including notification. The department may investigate violations of the Act and levy penalties accordingly.

Consumers can visit Genworth.com/MOVEit for updates and should consider freezing their credit report due to the incident.

FOR IMMEDIATE  RELEASE
October 17, 2022

Program Contact:
Claudette Wus, Senior Disaster Recovery Specialist, DTI
(302) 739-9636
Claudette.Wus@delaware.gov

Media Contact:
Christina Dirksen, Strategic Communications Manager, DTI
(302) 739-9736
Christina.Dirksen@state.de.us

Governor Carney Announces DE’s Participation in CyberStart America and Cyber FastTrack
CyberStart America and Cyber FastTrack offer free, fun games for high school and college students to discover their talent and enter the field of cybersecurity. Registration is open now!

Dover, Delaware — Delaware Governor John Carney and Chief Information Officer (CIO) Jason Clarke have announced that high school and college students across the First State can now register for CyberStart America and Cyber FastTrack.  This innovative online program, sponsored by the National Cyber Scholarship Foundation and the SANS Institute, allows participants to explore their potential cybersecurity talent. Building on the success of previous years’ National Cyber Scholarship Competitions, CyberStart America is open to all high school students. Delaware students in grades nine through twelve will have the chance to win prizes and recognition for their schools, as well as scholarships for advanced training. Cyber FastTrack is available for college students, where they too will have a chance to win scholarship awards and recognition for excellent performance. Nearly 1,400 Delaware students have participated in these programs over the past 7 years.

“One of the most important challenges for us is developing the cybersecurity workforce and finding talent. That’s why the programs that DTI and other partners are participating in are so important,” said Governor Carney. “Recently, I was able to meet some of these talented, next generation of cyber experts from last year’s CyberStart and Cyber FastTrack programs. With these programs, they have a strong foundation to pursue a cyber career.”

The CyberStart and Cyber FastTrack programs both offer a series of online challenges that allow participants to act as cyber protection agents solving cybersecurity-related puzzles and exploring related topics such as code-breaking, programming, networking, and digital forensics. For the high school level, the program can be assigned as part of homework, form the basis of an extracurricular club, or students can simply try it on their own. Participating students and their teachers do not need knowledge or experience in information technology or cybersecurity to take part. Everything they need can be learned in the game; however, support and communication about the program to students are needed. Both programs are free for schools and students. New this year will be a high school cyber presentation provided by Chief Security Officer Solomon Adote on October 27^th that will include information on cyber careers as well as a demo of the CyberStart America platform. High School students should contact their teacher for more information.

Students who do well in the program can earn access to scholarships and advanced training. The 2021-22 session had 352 Delaware high school student participants in CyberStart America — three of whom earned Finalist level and nine that reached the Scholar level — while 133 Delaware college students participated in Cyber FastTrack, with one reaching the Finalist level and eight in the Scholar bracket. These students were recognized at the Secure Delaware Workshop on October 4, 2022, which coincided with registration opening of the 2022-23 session of both CyberStart America and Cyber FastTrack.

“I was introduced to “CyberStart American early Freshman year. I thoroughly enjoyed completing the challenges in the program, as they are presented in a beginner-friendly, non-intimidating manner. As I completed more and more challenges, I found that I could apply my knowledge in coding, forensics, cryptography, hashing, and the Linux command line that I’ve acquired from my experiences in Cyberpatriot and summer programs,” said Padua student Trisha Srikanth.  “Further, framing the challenges as hypothetical real-world situations certainly enlivened a very technical field and made the challenges more dynamic and engaging. In our increasingly digitized society, it is important that there are enough cybersecurity professionals to protect American devices and systems. Thus, it is wonderful that CyberStart is making cybersecurity more accessible to young students like me, sparking our passion for pursuing this field. Lastly, I am very grateful to DTI, our governor, and my community at Padua for all of their support and encouragement.”

“Cyber FastTrack helped me quickly learn about a broad range of topics in cybersecurity,” said Wilmington University student Richard Eaton. “Identification as a National Cyber Scholar provided me additional SANS Foundations training and certification that was some of the best, most engaging online training I’ve ever taken. It also afforded me the opportunity to be recognized in the field and establish meaningful connections with local cybersecurity leaders that have already provided job opportunities. I’m so grateful for the experience.”

“There is no question that it has been an eventful year on the cyber security front.  Everything from major breaches to new vulnerabilities, and an even greater focus on protecting critical infrastructure and third-party/supply chain compromises. It’s important to identify the next generation of cyber defenders to protect against these attacks that happen every minute of each day.  With programs like these, participants can pursue their passion in cybersecurity to help in this fight,” said CIO Jason Clarke.

To learn more about CyberStart America or to register, visit cyberstartamerica.org. College students can view the program details and register to participate at cyber-fasttrack.org.

###

About the Delaware Department of Technology and Information

The Department of Technology and Information (DTI) is the state’s central IT organization, chartered to deliver core services to other state organizations and exercise governance over the technology direction and investments of the state. DTI provides enterprise services that enable other organizations to effectively fulfill their missions. DTI.delaware.gov

About CyberStart America

CyberStart America and Cyber FastTrack are free national programs for high school and college-level students, aiming to uncover hidden cyber talents, and to identify and develop the next generation of cyber superstars. The immersive gamified learning platforms can take students from zero cybersecurity knowledge to possessing the skills necessary to compete in a national-level Capture the Flag challenge in a matter of weeks. Students new to the field with a strong aptitude, as well as students with existing interest in the field, can use the platform to train and qualify for the National Cyber Scholarship Competition, allowing them to compete for life-changing college scholarship opportunities.

About The National Cyber Scholarship Foundation (NCSF)

The National Cyber Scholarship Foundation (NCSF) is a national nonprofit whose mission is to identify, nurture and empower the next generation of cybersecurity experts and eliminate the cybersecurity skills gap in the United States. NCSF aims to support the entry of thousands of highly talented students to the cybersecurity industry by providing enrichment opportunities, world-class training, and scholarships to fund advanced skills training.