Dover – As a result of multiple consumer complaints, the Delaware Department of Insurance has been made aware of a security breach, involving Summit Reinsurance Services, Inc. (“SummitRe”) and BCS Financial Corporation, both subcontractors of Highmark Blue Cross Blue Shield of Delaware, according to a the Delaware Department of Insurance.
The breach affects thousands of Delawareans with employer-paid plans. As reported by Karen Kane, Director of Privacy and Information Management for Highmark Blue Cross Blue Shield of Delaware, the breach impacts a total of sixteen current and former Highmark self-insured customers and approximately 19,000 of their members. In response, Commissioner Navarro issued the following statement:
We are aware of the reported breach. I would like to ensure Delaware consumers that the Department of Insurance takes this matter seriously and is currently investigating how this occurred. I have directed my staff to closely monitor the situation as it develops. Many Delawareans have received mailed correspondence from SummitRe explaining the breach . Unfortunately, we fear that many may have misinterpreted or inadvertently discarded the letter as some form of a sales ad (due to the fact that they had not purchased any line of insurance from SummitRe). If consumers have received a letter from SummitRe regarding this situation and have questions, they may contact the Delaware Department of Insurance at 1-800-282-8611 or 302-674-7300, or by e-mail at [email protected].
The Commissioner has ordered an investigation into the reported breach. Highmark Blue Cross Blue Shield of Delaware is cooperating with the Delaware Department of Insurance to resolve the matter.
Partial Letter
RE: Notice of Data
Incident Dear••••••
January 4, 201 7
Summit Reinsurance Services, Inc. (“Summit”) is writing to inform you of a data security event that may affect the security of your personal information and to provide you with information on how to better protect against the possible misuse of your information. Summit has your information because we provide underwriting and consulting reinsurance services to certain insurance companies.
What Happened? On August 8, 2016, Summit discovered that ransom ware had infected a server containing certain personal information. Summit immediately launched an investigation to determine the nature and scope of this event and to prevent the encryption of data contained on the server. Summit also began working with third-party forensic investigators to assist with these efforts. While our forensic investigation is ongoing, it appears that the unauthorized access to the server first occurred on March 12, 2016. To date, Summit has no direct evidence that such data has been used inappropriately.
What Information Was Involved? The information contained on the affected server may have included your name, Social Security number, health insurance information, provider’s name, and/or claim-focused medical records containing diagnosis and clinical information.
What Are We Doing? We take the security of information in our care very seriously. Although the forensic investigation is ongoing, to date, we have found no direct evidence of actual or attempted misuse of personal information on the affected server as a result of this incident. Nevertheless, in an abundance of caution, we are notifying you of this incident. Additionally, we have notified your insurance company.
We are also providing you with information you can use to better protect against identity theft and fraud, as well as access to one year of credit monitoring and identity restoration services at no cost to you. You can find more information and steps you c.an take, as well as information on how to enroll in the credit monitoring services, in the enclosed Steps You Can Take to Prevent Identity Theft and Fraud.