A patient receives an eye exam at a free health clinic. The health plan administrator Dominion National reached a $2 million settlement with the 2.9 million patients affected by a data breach. (Photo by John Moore/Getty Images)
Insurance giant Dominion National reached a $2 million settlement with the 2.9 million patients affected by its nine-year data breach, first reported in 2019. The security incident was the second-largest breach reported to the Department of Health and Human Services that year.
The settlement will provide each individual with up to $300 for out-of-pocket expenses stemming from the breach, as well as for credit reports and monitoring services through July 19, 2021. The amount also includes up to $100 in lost time incurred by responding to the incident.
Dominion National is also required to compensate “extraordinary losses” caused by actual, documented, and unreimbursed monetary losses, up to $7,500 per person and capped at $2 million.
Dominion is a health plan administrator, as well as an insurer of dental and vision benefits. The insurer falls under the umbrella of Dominion Dental, which is owned by Capital Advantage Insurance Company. All branches fall under the Capital Blue Cross umbrella.
In April 2019, an internal alert notified the security team of unauthorized access. The investigation found threat actors had exploited vulnerabilities in its computer servers to gain access to its systems beginning as early as Aug. 25, 2010.
The hackers were able to potentially access and steal enrollment and demographic data of both current and former vision plan members and data belonging to dental and vision members. The impacted server also contained the data of health care providers and plan producers.
The compromised information was highly sensitive and varied by individual, including Social Security numbers, bank account and routing numbers, member identification numbers, taxpayer identification, contact details, and other data.
In response, the breach victims filed a class action lawsuit in the U.S. District Court for the Eastern District of Virginia, Alexandria Division, alleging the insurer was responsible for the breach, as it failed to implement and maintain reasonable safeguards, or comply with industry-standard data security practice.
Those security failures directly contradicted “representations made in Dominion National’s privacy statements and express and implied agreements with plan members and the insureds of third party insurers on whose behalf it provides benefit administration.”
“Dominion National failed to secure its databases containing massive amounts of members’ personal Information, failed to detect the hackers’ presence, and failed to take any steps to investigate the numerous other red flags that should have warned the company that its systems were not secure,” the lawsuit argued.
“[Dominion] had the resources to prevent a breach and made significant expenditures to promote their dental and vision plans, but neglected to invest adequately in data security, despite the growing number of well-publicized data breaches affecting insurance, healthcare, and other related industries,” it added.
The lawsuit also took issue with Dominion National’s breach notice, particularly as patients were not informed of the precise data accessed during the incident. Without that information, individuals were unable to take the appropriate measures to protect their privacy from malicious activity.
The breach notice also did not detail when the system intrusion was first discovered, nor why the attackers went undetected for nine years.
As recently noted, many health care providers struggle with balancing consumer expectations with regulatory requirements in breach notifications. HIPAA does not require impacted providers to share precise details into security events, outside of the affected data, the type of security incident, and how the event has been mitigated.
The lawsuit argued that the “extraordinary” length of time to discover the breach strongly suggests that Dominion National didn’t regularly update software or equipment and lacked a sufficient Security Incident & Event Management. The delay could also be attributed to failing to adequately monitor or log remote access to the network, as well as a host of other industry-standard security processes.
As a result of these failures, the breach victims claimed they were at a significant risk of identity theft, financial fraud, and other identity-related fraud into the indefinite future.
The lawsuit claims that multiple individuals have already experienced harms as a direct result of the breach, including identity theft, financial fraud, tax fraud, unauthorized lines of credit opened in their names, medical and health-care fraud, and unauthorized access to their bank accounts.
The breach victims have also invested time, money, and effort responding to the breach impact, including credit protection services, contacting financial institutions, monitoring credit reports, and other reviews to prevent and respond to unauthorized activity.
Further, these timely and costly responses will continue into the foreseeable future.
The lawsuit sought monetary relief for actual and statutory damages, attorneys’ fees, and additional relief deemed proper by the court to remediate these losses. Dominion National and the breach victims settled out of court, which was recently approved by a federal judge.
The settlement shows that the proposal is adequate and “negotiated at arm’s length by informed and experienced counsel.”
The number of lawsuits filed in the wake of health care data breaches has dramatically increased in the last few years, as the incidents become more common. The Dominion settlement joins a growing list of providers that chose to resolve breach allegations out of court, including three in the last year.
Most recently, patients filed a lawsuit against Scripps Health after a ransomware attack and data exfiltration incident in May 2021 that impacted the protected health information of 150,000 patients.