9-Year PHI Breach at Dominion National Impacted 2.9 Million Members


A data security incident at Dominion National involved the personal data of their clients. Dominion National is an insurance provider, health plan administrator, and administrator of dental and vision benefits primarily based in Virginia. Hackers initially accessed the provider’s servers in 2010.

Dominion National started an internal investigation after being alerted about the incident and received confirmation on April 24, 2019 about the systems breach. A prominent cybersecurity agency conducted a thorough forensic analysis of the affected data. The investigation findings confirmed that the sensitive data of present and past members of Dominion National and Avalon Vision plans were compromised. The PHI of members of health plans administered by Dominion National were also compromised.

The data of people affiliated with plan producers, healthcare providers and companies where the dental and vision benefits were administered by Dominion National were also compromised. The first unauthorized access to Dominion National’s systems was on August 25, 2010 and it took nine years for the investigation to conclude. But there is no certain information as to when Dominion National first knew about the breach.

The cyberattack investigation came to the conclusion on April 24, 2019. Only then were all affected people sent notifications and offered membership to credit monitoring and identity theft protection services for two years. All servers affected by hacking had been secured by Dominion National and upgraded with tracking and alerting software program.

Varying types of information of the affected people were compromised, which included names, addresses, email addresses, Social Security numbers, birth dates, bank account and routing numbers, ember ID numbers, group numbers, subscriber numbers and taxpayer ID numbers.

Long-term breaches can potentially impact a large number of plan members. The HHS’ Office for Civil Rights published the breach summary on its breach portal indicating 2,964,778 plan members were affected.

Although investigators confirmed the unauthorized system access, Dominion National did not get any report that stated the access or misuse of any patient data as a result of the attack. Dominion National sent breach notifications via mail on June 21, 2019 and posted the substitute breach notice on its website, which did not mention any offer for credit monitoring or identity theft protection services.