Delaware DOI Investigating Data Breach Affecting 19,000 Consumers

By | January 13, 2017

The Delaware Department of Insurance is investigating a security breach involving Summit Reinsurance Services Inc. (SummitRe) and BCS Financial Corporation, both subcontractors of Highmark BlueCross BlueShield of Delaware.

The department was made aware of the breach as a result of multiple consumer complaints, according a press release issued by the department.

The release states that the breach affects thousands of Delawareans with employer-paid plans. Karen Kane, Director of Privacy and Information Management for Highmark Blue Cross Blue Shield of Delaware, reported the breach impacts a total of sixteen current and former Highmark self-insured customers and approximately 19,000 of its members.

“I have directed my staff to closely monitor the situation as it develops,” said newly elected Delaware Insurance Commissioner Trinidad Navarro in a statement.

He added that while many Delawareans received mailed correspondence from SummitRe at the beginning of January explaining the breach, the department fears that many may have misinterpreted or inadvertently discarded the letter as a sales ad due to the fact that they had not purchased any line of insurance from SummitRe.

However, SummitRe has access to this personal information because it provides underwriting and consulting reinsurance services to certain insurance companies, President Mark Troutman outlined in the letter to consumers.

The breach announcement comes after SummitRe discovered on August 8, 2016, that ransomware had infected a server containing consumers’ personal information, Troutman stated in the letter.

The information contained on the affected server may have included consumers’ names, Social Security numbers, health insurance information, providers’ names and claim-focused medical records containing diagnosis and clinical information.

After discovering the ransomware, SummitRe immediately launched an investigation to determine the name and scope of the event and to prevent the encryption of data contained on the server, the letter stated. SummitRe also began working with third-party forensic investigators to assist with these efforts. It believes the unauthorized access to the server first occurred on March 12, 2016. While the forensic investigation is ongoing, there is no direct evidence to date that the data has been used inappropriately, the letter said.

“We take the security of information in our care very seriously,” Troutman stated in the letter. “Although the forensic investigation is ongoing, to date, we have found no direct evidence of actual or attempted misuse of personal information on the affected server as a result of this incident. Nevertheless, in an abundance of caution, we are notifying you of this incident. Additionally, we have notified your insurance company.”

He added that SummitRe is also providing consumers with information to better protect against identity theft and fraud going forward, as well as access to one year of credit monitoring and identity restoration services at no cost.

Highmark Blue Cross Blue Shield of Delaware is cooperating with the Delaware Department of Insurance to resolve the matter, the Delaware Department of Insurance press release stated.

Topics Cyber

Was this article valuable?

Here are more articles you may enjoy.