[BreachExchange] Delaware DOI Investigating Data Breach Affecting 19, 000 Consumers

[Audrey McNeil]

http://www.insurancejournal.com/news/east/2017/01/13/438821.htm

The Delaware Department of Insurance is investigating a security breach
involving Summit Reinsurance Services Inc. (SummitRe) and BCS Financial
Corporation, both subcontractors of Highmark BlueCross BlueShield of
Delaware.

The department was made aware of the breach as a result of multiple
consumer complaints, according a press release issued by the department.

The release states that the breach affects thousands of Delawareans with
employer-paid plans. Karen Kane, Director of Privacy and Information
Management for Highmark Blue Cross Blue Shield of Delaware, reported the
breach impacts a total of sixteen current and former Highmark self-insured
customers and approximately 19,000 of its members.

“I have directed my staff to closely monitor the situation as it develops,”
said newly elected Delaware Insurance Commissioner Trinidad Navarro in a
statement.

He added that while many Delawareans received mailed correspondence from
SummitRe at the beginning of January explaining the breach, the department
fears that many may have misinterpreted or inadvertently discarded the
letter as a sales ad due to the fact that they had not purchased any line
of insurance from SummitRe.

However, SummitRe has access to this personal information because it
provides underwriting and consulting reinsurance services to certain
insurance companies, President Mark Troutman outlined in the letter to
consumers.

The breach announcement comes after SummitRe discovered on August 8, 2016,
that ransomware had infected a server containing consumers’ personal
information, Troutman stated in the letter.

The information contained on the affected server may have included
consumers’ names, Social Security numbers, health insurance information,
providers’ names and claim-focused medical records containing diagnosis and
clinical information.

After discovering the ransomware, SummitRe immediately launched an
investigation to determine the name and scope of the event and to prevent
the encryption of data contained on the server, the letter stated. SummitRe
also began working with third-party forensic investigators to assist with
these efforts. It believes the unauthorized access to the server first
occurred on March 12, 2016. While the forensic investigation is ongoing,
there is no direct evidence to date that the data has been used
inappropriately, the letter said.

“We take the security of information in our care very seriously,” Troutman
stated in the letter. “Although the forensic investigation is ongoing, to
date, we have found no direct evidence of actual or attempted misuse of
personal information on the affected server as a result of this incident.
Nevertheless, in an abundance of caution, we are notifying you of this
incident. Additionally, we have notified your insurance company.”

He added that SummitRe is also providing consumers with information to
better protect against identity theft and fraud going forward, as well as
access to one year of credit monitoring and identity restoration services
at no cost.

Highmark Blue Cross Blue Shield of Delaware is cooperating with the
Delaware Department of Insurance to resolve the matter, the Delaware
Department of Insurance press release stated.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170113/b6597caf/attachment.html>