Data breaches in the healthcare sector have become ubiquitous; it feels like there are stories on how a health plan was phished or how a hack has yielded patient records at a medical center, daily.
Often these stories involve facilities that accidentally left files on an exposed FTP server or had employees who mistakenly clicked through an email, actions that can compromise data for several months.
Late last week a health insurer revealed that a data breach that compromised data on its systems may have started as many as 108 weeks - or nine years ago, in the summer of 2010.
Arlington, Virginia-based Dominion National, an insurer and administrator of dental and vision benefits said Friday that it realized in April, after an internal alert triggered an investigation at the company, it had experienced a data security incident.
Upon investigating the alert, something the company did alongside a cybersecurity firm it hired, Dominion National discovered that an unauthorized party may have begun accessing its servers as early as August 25, 2010.
The company, which handles data for members of healthcare plans, producers, and providers, said Friday that it appears enrollment and demographic information for current and former members of Dominion National and Avalon vision was on those servers.
Vision plans under Dominion are underwritten by Pennsylvania-based Avalon Insurance Company and administered via Dominion Dental Services USA, Inc., or DDUSA, in some areas, including D.C., Delaware, Maryland, Pennsylvania, and Virginia.
In addition to data on both its own members and Avalon’s, the company said that current and former members of unspecified plans it provides administrative services for may have also been implicated. Those members may have had their names, addresses, email addresses, dates of birth, Social Security numbers, member ID numbers, group numbers, and subscriber numbers compromised. Members who enrolled online through Dominion National’s website may have had their bank account and routing numbers included in the data as well.
In addition to the aforementioned groups, producers who placed policies with the companies and providers who participate in Dominion National's insurance programs, may also be implicated. According to the company, the provider information may have included names, dates of birth, Social Security numbers, and/or taxpayer identification numbers; the producer information may have included names and Social Security numbers.
All told, the company didn't say exactly how many victims may have had their data accessed over the last nine years.
While the company said it took steps to clean the affected servers and said it has no evidence that attackers took any of the data, the fact the issue took nearly nine years to come to light is troubling.
Without further insight into the breach, including how an attacker may have gotten into the server, it's unclear exactly what Dominion National's Achilles Heel was.
It's possible the data wasn't properly classified, something which could have allowed it to linger, on the servers as long as it did, unregulated and unflagged. Perhaps the company didn’t have the appropriate policies, mechanisms that can help detect and thwart unauthorized access, weren't in place. By having a solution in place to prevent unauthorized data access and misuse, it’s possible the company could have halted access of it in the first place.
