HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

2.9 Million Members Affected by Dominion National 9-Year PHI Breach

Dominion National, a Virginia-based insurer, health plan administrator, and administrator of dental and vision benefits, has experienced a data security incident involving the personal information of individuals connected to the services it provides. Hackers first gained access to its servers in 2010.

Following an internal alert, Dominion National launched an internal investigation and determined on April 24, 2019 that its systems had been breached.

A leading cybersecurity company performed a comprehensive forensic analysis and review of affected data and confirmed the sensitive information of current and former members of Dominion National and Avalon Vision plans may have been compromised along with the PHI of individuals who are members of health plans for which the company provides administration services for.

Data relating to individuals affiliated with the organizations that the company administers dental and vision benefits for, plan producers, and participating healthcare providers were also potentially compromised. Unauthorized access to its systems first occurred on August 25, 2010, nine years before the investigation was completed. It is currently unclear when the Dominion National first became aware of the breach.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The investigation into the cyberattack concluded on April 24, 2019. All affected individuals have been notified and offered two years membership to credit monitoring and identity theft protection services. Dominion National has cleaned all affected servers and has enhanced its monitoring and alerting software.

The types of information involved varied from individual to individual but may have included names along with addresses, email addresses, dates of birth, Social Security numbers, bank account and routing numbers, taxpayer ID numbers, member ID numbers, group numbers, and subscriber numbers.

A long-term breach such as this has potential to affect a great many plan members. According to the summary published on the HHS’ Office for Civil Rights Breach Portal, 2,964,778 plan members have had their PHI exposed.

While system access was confirmed, Dominion National uncovered no evidence to suggest any patient data was accessed, acquired or misused by the individual responsible for the attack. Breach notification letters were mailed on June 21, 2019. The substitute breach notice on the Dominion National website makes no mention of credit monitoring or identity theft protection services.

Updated: 07.03.19

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.