Commissioner issues statement; breach involved Summit Reinsurance Services, Inc. (SummitRe) and BCS Financial Corporation, both subcontractors of Highmark BlueCross BlueShield of Delaware, with 19,000 members affected.
As a result of multiple consumer complaints, the Delaware Department of Insurance has been made aware of a security breach, according to DOI spokesman John Hinkson in an email Friday morning.
The breach affects thousands of Delawareans with employer-paid plans. As reported by Karen Kane, director of privacy and information management for Highmark Blue Cross Blue Shield of Delaware, the breach impacts a total of 16 current and former Highmark self-insured customers and approximately 19,000 of their members.
The breach involved Summit Reinsurance Services, Inc. (SummitRe) and BCS Financial Corporation, both subcontractors of Highmark BlueCross BlueShield of Delaware.
In response, DOI commissioner Trinidad Navarro issued the following statement:
“We are aware of the reported breach. I would like to ensure Delaware consumers that the Department of Insurance takes this matter seriously and is currently investigating how this occurred.
"I have directed my staff to closely monitor the situation as it develops. Many Delawareans have received mailed correspondence from SummitRe explaining the breach. Unfortunately, we fear that many may have misinterpreted or inadvertently discarded the letter as some form of a sales ad (due to the fact that they had not purchased any line of insurance from SummitRe).
"If consumers have received a letter from SummitRe regarding this situation and have questions, they may contact the Delaware Department of Insurance at 1-800-282-8611 or 302-674-7300, or by e-mail at firstname.lastname@example.org.”
NOTE: The information below is directly from the letter SummitRe mailed to customers Jan. 4:
Summit Reinsurance Services, Inc. ("Summit") is writing to inform you of a data security event that may affect the security of your personal information and to provide you with information on how to better protect against the possible misuse of your information. Summit has your information because we provide underwriting and consulting reinsurance services to certain insurance companies.
On Aug. 8, 2016, Summit discovered that ransomware had infected a server containing certain personal information. Summit immediately launched an investigation to determine the nature and scope of this event and to prevent the encryption of data contained on the server, according to a letter Summit sent on Jan. 4.
Summit also began working with third-party forensic investigators to assist with these efforts. While our forensic investigation is ongoing, it appears that the unauthorized access to the server first occurred on March 12, 2016. To date, Summit has no direct evidence that such data has been used inappropriately.
What Information Was Involved?
The information contained on the affected server may have included your name, Social Security number, health insurance information, provider's name, and/or claim-focused medical records containing diagnosis and clinical information.
What Are We Doing?
We take the security of information in our care very seriously. Although the forensic investigation is ongoing, to date, we have found no direct evidence of actual or attempted misuse of personal information on the affected server as a result of this incident. Nevertheless, in an abundance of caution, we are notifying you of this incident. Additionally, we have notified your insurance company.
"We are also providing you with information you can use to better protect against identity theft and fraud, as well as access to one year of credit monitoring and identity restoration services at no cost to you. You can find more information and steps you can take, as well as information on how to enroll in the credit monitoring services, in the enclosed Steps You Can Take to Prevent Identity Theft and Fraud.
Steps You Can Take To Prevent Identity Theft And Fraud:
To help you further safeguard against any potential misuse of your personal information, we are offering you access to one (1) year of complimentary membership in Experian's ProtectMyID Alert.
This product helps detect possible misuse of your personal information and provides you with identity protection support focused on immediate identification and resolution of identity theft. To enroll, please follow the instructions below:
Activate ProtectMylD Now in Three Easy Steps
1. Ensure That You Enroll By: March 31,2017 (Your code will not work after this date.)
2. Visit the ProtectMyID Website to Enroll: www.protectmyid.com/alert
3. Provide Your Activation Code: PABWARUJE
If you have questions or need an alternative to enrolling online, please call (877) 297-7780 and provide engagement#: PC105331.
A credit card is not required for enrollment. Once your ProtectMyID memberships activated, you will receive the following features:Free copy of your Experian credit report Surveillance Alerts for: Daily Bureau Credit Monitoring: Alerts of key changes & suspicious activity found on your Experian credit report. Identity Theft Resolution & ProtectMyID ExtendCARE: toll-free access to US-based customer care and a dedicated Identity Theft Resolution agent who will walk you through the process of fraud resolution from start to finish for seamless service.They will investigate each incident; help with contacting credit grantors to dispute charges and close accounts including credit, debit and medical insurance cards; assist with freezing credit files; contact government agencies. It is recognized that identity theft can happen months and even years after a data breach. To offer added protection, you will receive ExtendCARE, which provides you with the same high-level of Fraud Resolution support even after your ProtectMyID membership has expired. $1 Million Identity Theft lnsurance: Immediately covers certain costs, including lost wages, private investigator fees, and unauthorized electronic fund transfers.
We encourage you to remain vigilant against incidents of identity theft and fraud, to review your account statements, and to monitor your credit reports and explanation of benefits forms for suspicious activity.
Under U.S. law you are entitled to one free credit report annually from each of the three major credit reporting bureaus.
To order your free credit report, visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228. You may also contact the three major credit bureaus directly to request a free copy of your credit report.
At no charge, you can also have these credit bureaus place a "fraud alert" on your file that alerts creditors to take additional steps to verify your identity prior to granting credit in your name.
Note, however, that because it tells creditors to follow certain procedures to protect you, it may also delay your ability to obtain credit while the agency verifies your identity.