More than 37,500 Delaware agents, policyholders, beneficiaries impacted

Following the receipt of additional data breach reports from insurers, including those related to the breach of the MOVEit file transfer services system used by third-party vendors, the Delaware Department of Insurance is updating this consumer alert and will be updating the online posting as information is received.

Residents who may be agents, policyholders, or beneficiaries of the following insurers should be aware that their personal data may have been compromised, and should watch for contact:

As shared during a June 26 consumer alert, the MOVEit data breach and other data security events trigger Delaware’s Insurance Data Security Act, which in addition to proactive data security measures and other requirements, mandates the following occur:

• Investigation of a cybersecurity event and correction of compromised information systems
• Detailed reporting to the Insurance Commissioner
• Notification to consumers within 60 days, except in cases where federal law or law enforcement agencies require or request modified timelines
  Consumers must be provided credit monitoring services at no cost for a period of at least one year in addition to receiving information regarding freezing one’s credit

Insurance Commissioner Trinidad Navarro encouraged consumers to protect their identities and reassured residents that the breach will be investigated thoroughly. “I take any breach of personal information very seriously, and encourage consumers affected to utilize the identity and credit protection services offered. Our Market Conduct staff, likely alongside investigators across the country, will work to investigate the situation and assess if appropriate safeguards were in place for the handling of data.”

The department worked with the General Assembly in 2019 to pass the Insurance Data Security Act and was one of the first states to implement the National Association of Insurance Commissioner’s model law. The law is an effort to fortify security measures and protect consumer data. It requires insurance companies and their vendors to follow certain data protection and breach protocols, including notification. The department may investigate violations of the Act and levy penalties accordingly.

Consumers should consider freezing their credit report due to the incident.

[Last Update: August 16, 2023 – Insurer and Producer added; Impact counts amended]

Insureds, agents, and beneficiaries should watch for notification

On June 16, PBI Research Services, a third-party vendor for Genworth Financial, disclosed a data breach that impacted the personal information of an estimated 2.5-2.7 million individuals, including about 8,000 Delaware residents. At this time, the company has indicated that the potentially compromised information may include agents, policyholders, and beneficiaries’ data including names, contact information, dates of birth, social security numbers, and policy numbers. Consumers are urged to be vigilant in protecting their data, as beneficiaries may not be aware of policies that contain their information, particularly in regard to life insurance benefits.

This event triggers Delaware’s Insurance Data Security Act, which in addition to proactive data security measures and other requirements, mandates the following now occur:

• Investigation of a cybersecurity event and correction of compromised information systems
• Detailed reporting to the Insurance Commissioner
• Notification to consumers within 60 days, except in cases where federal law or law enforcement agencies require or request modified timelines
• Consumers must be provided credit monitoring services at no cost for a period of at least one year in addition to receiving information regarding freezing one’s credit

Insurance Commissioner Trinidad Navarro encouraged consumers to protect their identities and reassured residents that the breach will be investigated thoroughly.

“I take any breach of personal information very seriously, and encourage consumers affected to utilize the identity and credit protection services offered. Our Market Conduct staff, likely alongside investigators across the country, will work to investigate the situation and assess if appropriate safeguards were in place for the handling of data.”

The department has received a relevant policyholder list, including consumers of long-term care, life insurance, and annuities lines, which investigators may use to check company compliance with the Act. Consumer service representatives may also use this information to help concerned agents, policyholders, and beneficiaries who contact the office.

This incident was a part of a significant cybersecurity attack involving the MOVEit file transfer system, with the breach likely occurring May 29-30 before a corrective action was implemented on June 2. The department has not at this time been notified of additional insurer or insured information being accessed as part of this breach.

The department worked with the General Assembly in 2019 to pass the Insurance Data Security Act and was one of the first states to implement the National Association of Insurance Commissioner’s model law. The law is an effort to fortify security measures and protect consumer data. It requires insurance companies and their vendors to follow certain data protection and breach protocols, including notification. The department may investigate violations of the Act and levy penalties accordingly.

Consumers can visit Genworth.com/MOVEit for updates and should consider freezing their credit report due to the incident.

DOVER (Oct. 21, 2022) – The Delaware Division of Developmental Disabilities Services is announcing today that it is mailing letters to service recipients and legal guardians who were impacted by a recent data breach incident and is providing information to the public regarding the incident.

On August 23, 2022, staff within the Division of Developmental Disabilities Services (DDDS) discovered that in the process of creating new user accounts in the division’s client database, DDDS staff inadvertently provided access to individual records of 7074 individuals. As a result of these actions, 159 new users had potential access to service recipients’ personal, identifiable information and protected health information as well as potential access to more detailed information through accessed accounts.

A thorough investigation of the incident was conducted. Using forensic analysis available through the software’s vendor, the division has been able to determine how many users accessed information not intended for their use, and which service recipient records were opened and viewed. While the division has determined that only 12 detailed records were actively accessed, certain personal, identifiable information and protected health information was passively available to any user with the erroneous access level. The software vendor is unable to determine who may have passively viewed this information.

Based on this internal investigation and consultation with the software vendor, the division is taking corrective measures to tighten security and protection of the personal health information of its service recipients. DDDS has:

• Reviewed and reinforced its Health Insurance Portability and Accountability Act (HIPAA)-related policies and procedures.
• Established new guidelines for the creation of user accounts and a tightened approval process for accessing records.
• Worked with its vendor to institute technology checks on providing access.

The division will incorporate lessons from this analysis into the design and implementation of its new client data management system scheduled for transition in 2023.

As required by HIPAA and state law, the Delaware Division of Developmental Disabilities Services has reported this breach to the U.S. Department of Health and Human Services and to the Delaware Department of Justice.

The Division of Developmental Disabilities Services is also establishing a dedicated call center independently staffed by a contracted company to answer any questions about this incident. Call center representatives have been fully versed on the incident and can answer questions or concerns individuals may have regarding protection of their personal information. Additionally, the division will be offering free access to credit monitoring to all impacted parties for a period of one year.

The call center can be reached at 1-833-875-0644 Monday through Friday, from 9:00 a.m. to 9:00 p.m. Eastern Time, excluding U.S. holidays.

Information will also be posted on the Delaware Department of Health and Social Services website at: https://dhss.delaware.gov/dhss/ and the division’s website: https://dhss.delaware.gov/dhss/ddds/.

June 26, 2019

DOVER, DE – The Delaware Department of Insurance recently received notice of a data security breach suffered by Dominion National, an insurer and administrator of dental and vision benefits. On April 24, 2019, through its investigation of an internal alert, Dominion National discovered that servers containing enrollment data, demographic details, and personal information of consumers, plan producers, and healthcare providers may have been accessed by an unauthorized party. The investigation determined that the unauthorized access may have occurred as early as August 25, 2010. Dominion National advised the Department of Insurance that they responded immediately by cleaning the affected servers and initiating a comprehensive review of data stored on or potentially accessible from the servers.

Commissioner Trinidad Navarro stated, “Upon receiving notice of this breach, I asked that our market conduct division begin an investigation to learn all of the facts behind this incident.  The Department of Insurance will determine if appropriate safeguards were in place, and if private consumer information was handled properly.”

On June 17, 2019, the comprehensive review determined that the potentially compromised information might include the following data: names, addresses, dates of birth, email addresses, Social Security numbers, taxpayer identification number, bank account and routing numbers, member ID numbers, group numbers, and subscriber names of what amounts to 10% of Delaware’s population. This number reflects those who are current or former members of Dominion National or of insurance plans administered through Dominion National. It is important to note that some affected by the data breach may not have had a plan through Dominion National, but had a plan for which Dominion National was the third-party administrator.

According to Dominion National, there is “no evidence that any information was in fact accessed, acquired, or misused.” The company has implemented enhanced monitoring and alerting software and is providing 2 years of free credit monitoring and fraud protection services for all individuals potentially impacted by the incident. Dominion National has posted a security notice online at dominionnationalfacts.com. Additional help and information can be obtained from the company’s dedicated incident response line at 877-503-8923.  TTY/TDD users can call 844-261-6819. The dedicated incident response line is open Monday through Friday, 8 a.m. to 8 p.m.

###

The Delaware Department of Insurance protects Delawareans through regulation and education while providing oversight of the insurance industry to best serve the public.

Contact:

Vince Ryan

Sr. Advisor to the Commissioner

Vince.ryan@delaware.gov

Office: 302-674-7303

Mobile: 302-387-7670

DOVER, DE— As a result of multiple consumer complaints, the Delaware Department of Insurance has been made aware of a security breach, involving Summit Reinsurance Services, Inc. (“SummitRe”) and BCS Financial Corporation, both subcontractors of Highmark Blue Cross Blue Shield of Delaware. The breach affects thousands of Delawareans with employer-paid plans. As reported by Karen Kane, Director of Privacy and Information Management for Highmark Blue Cross Blue Shield of Delaware, the breach impacts a total of sixteen current and former Highmark self-insured customers and approximately 19,000 of their members. In response, Commissioner Navarro issued the following statement:

“We are aware of the reported breach. I would like to ensure Delaware consumers that the Department of Insurance takes this matter seriously and is currently investigating how this occurred. I have directed my staff to closely monitor the situation as it develops. Many Delawareans have received mailed correspondence frpom SummitRe explaining the breach (See Attachment). Unfortunately, we fear that many may have misinterpreted or inadvertently discarded the letter as some form of a sales ad (due to the fact that they had not purchased any line of insurance from SummitRe).  If consumers have received a letter from SummitRe regarding this situation and have questions, they may contact the Delaware Department of Insurance at 1-800-282-8611 or 302-674-7300, or by e-mail at consumer@delaware.gov.”

The Commissioner has ordered an investigation into the reported breach. Highmark Blue Cross Blue Shield of Delaware is cooperating with the Delaware Department of Insurance to resolve the matter.

PDF attachment: 19000-de-consumers-affected-by-data-breach-1-13-17

###

Contact: Vince Ryan

Office: (302) 674-7303

Mobile: (302) 387-7670

Email: vince.ryan@delaware.gov