HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Dominion National Proposes $2 Million Settlement to Resolve Class Action Data Breach Lawsuit

Dominion National, a Virginia-based insurer, health plan administrator, and administrator of dental and vision benefits, has agreed to settle a class action lawsuit filed by victims of a 2.96 million-record data breach discovered in 2019.

The investigation into the data breach was completed on April 24, 2019. Dominion National determined unauthorized individuals gained access to its servers which contained the personal and protected health information of health plan customers.

Initially, the breach was thought to have affected 122,000 health plan members, but further investigations showed the protected health information of 2,964,778 individuals had potentially been compromised.  The investigation revealed the breach had started as early as August 25, 2010, with the types of data accessible including names, dates of birth, email addresses, member ID numbers, group numbers, subscriber numbers, and Social Security numbers. Individuals who enrolled online through the Dominion National website may also have had their bank account and routing number exposed.

Providers were also affected by the breach and had names, dates of birth, Social Security numbers, and/or taxpayer identification numbers exposed. Dominion National did not find evidence that the individuals behind the cyberattack had acquired or misused the data of members. Affected individuals were offered complimentary credit monitoring and identity theft protection services for 2 years.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Shortly after announcing the data breach and issuing notification letters to affected individuals, a class action lawsuit – Abubaker v. Dominion Dental USA, Inc. et al. – was filed in the United States District Court, Eastern District of Virginia against Dominion National (Dominion Dental USA, Inc., Dominion Dental Services USA, Inc., Dominion National Insurance Company, Dominion Dental Services of New Jersey, Inc., and Dominion Dental Services, Inc.) and Avalon Insurance Company, Capital Advantage Insurance, Capital BlueCross, and Providence Health Plan.

The plaintiffs alleged the defendants were negligent for failing to adequately protect servers and databases and for not detecting the presence of the hackers in systems for 9 years. As a result of those failures, individuals have been placed at a significant risk of identity theft and fraud.

Under the terms of the proposed settlement, class members will be entitled to submit a claim for losses and out-of-pocket expenses incurred in relation to the data breach. Claims can be submitted for ordinary losses up to $300 to cover out-of-pocket expenses and fees for credit reports and credit monitoring between August 14, 2019, and July 19, 2021. Up to $100 can also be claimed for time lost responding to the security incident.

Dominion National will also be accepting claims for extraordinary losses up to $7,500 per person for actual, documented, and unreimbursed monetary losses that are fairly and reasonably traceable to the data breach.

A cap of $2 million has been placed on claims for ordinary and extraordinary losses. If the claims total exceeds $2 million, claims will be paid pro rata. The exclusion deadline is October 2, 2021, the objection deadline is October 2, 2021, and the deadline for submitting claims is January 15, 2022. A fairness hearing has been scheduled for November 19, 2021.

Dominion National will also be covering the costs of settlement administration, court-approved attorneys’ fees and expenses, and service awards for named plaintiffs. Additional security measures have also been implemented to improve security, which have cost Dominion National approximately $2,679,500.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.