2.9 Million Members Affected by Dominion National 9-Year PHI Breach

Share this article on:

Dominion National, a Virginia-based insurer, health plan administrator, and administrator of dental and vision benefits, has experienced a data security incident involving the personal information of individuals connected to the services it provides. Hackers first gained access to its servers in 2010.

Following an internal alert, Dominion National launched an internal investigation and determined on April 24, 2019 that its systems had been breached.

A leading cybersecurity company performed a comprehensive forensic analysis and review of affected data and confirmed the sensitive information of current and former members of Dominion National and Avalon Vision plans may have been compromised along with the PHI of individuals who are members of health plans for which the company provides administration services for.

Data relating to individuals affiliated with the organizations that the company administers dental and vision benefits for, plan producers, and participating healthcare providers were also potentially compromised. Unauthorized access to its systems first occurred on August 25, 2010, nine years before the investigation was completed. It is currently unclear when the Dominion National first became aware of the breach.

The investigation into the cyberattack concluded on April 24, 2019. All affected individuals have been notified and offered two years membership to credit monitoring and identity theft protection services. Dominion National has cleaned all affected servers and has enhanced its monitoring and alerting software.

The types of information involved varied from individual to individual but may have included names along with addresses, email addresses, dates of birth, Social Security numbers, bank account and routing numbers, taxpayer ID numbers, member ID numbers, group numbers, and subscriber numbers.

A long-term breach such as this has potential to affect a great many plan members. According to the summary published on the HHS’ Office for Civil Rights Breach Portal, 2,964,778 plan members have had their PHI exposed.

While system access was confirmed, Dominion National uncovered no evidence to suggest any patient data was accessed, acquired or misused by the individual responsible for the attack. Breach notification letters were mailed on June 21, 2019. The substitute breach notice on the Dominion National website makes no mention of credit monitoring or identity theft protection services.

Updated: 07.03.19

Author: HIPAA Journal

Share This Post On