A class action lawsuit filed by those impacted in a 2.96 million-record data breach, discovered in 2019, against Dominion National has resulted in a settlement offer being proposed by the defendant.
After the official investigation into the data breach came to and end in April 2019, the Virginia-based insurer, health plan administrator, and administrator of dental and vision benefit reported that cybercriminals were able to log onto its servers that were holding a range of personal and protected health information of account holders.
In the direct aftermath of the breach discovery it was expected that some 122,000 health plan members had been impacted. However, a deepers dive into the incident revealed that the PHI of 2,964,778 people had been impacted, The official review of the breach found that the breach began some time around August 25, 2010 and resulted in the potential theft of names, dates of birth, email addresses, member ID details, group numbers, subscriber numbers, and Social Security information. Individuals who enrolled online through the Dominion National web portal may also have had their bank account and routing number accessed.
In addition to this providers were also impacted with similar data also accessible as above. Dominion National stated that no proof of the improper use of the stolen data had yet been found. However, the group made available free credit monitoring and identity theft protection services for a period of 24 months.
Not long after the breach was revealed and breach alert letters were shared to impacted people, a class action lawsuit – Abubaker v. Dominion Dental USA, Inc. et al. – was submitted in the United States District Court, Eastern District of Virginia against Dominion National (Dominion Dental USA, Inc., Dominion Dental Services USA, Inc., Dominion National Insurance Company, Dominion Dental Services of New Jersey, Inc., and Dominion Dental Services, Inc.) and Avalon Insurance Company, Capital Advantage Insurance, Capital BlueCross, and Providence Health Plan.
The plaintiffs claimed that there was negligence in the absence of adequately cybersecurity measures on servers and databases and also in the failure to discover the infiltration of the databases for 9 years. Due to these misdemeanours, the legal action said, individuals have been placed at a significant risk of identity theft and fraud.
The proposed settlement states that class members will be entitled to file a claim for losses and out-of-pocket expenses incurred as a result of the data breach. Claims can be filed for ordinary losses up to $300 to cover out-of-pocket expenses and fees for credit reports and credit monitoring between August 14, 2019, and July 19, 2021. Up to $100 can also be claimed for time lost addressing the security incident.
Dominion National will also be processing claims submitted for extraordinary losses up to $7,500 per person for actual, documented, and unreimbursed monetary losses that are fairly and reasonably traceable to the data breach.
A limit of $2 million has been set for on claims for ordinary and extraordinary losses. If the claims total is more than $2 million, claims will be paid pro rata. The exclusion deadline is October 2, 2021, the objection deadline is October 2, 2021, and the deadline for submitting claims is January 15, 2022. A fairness hearing has been scheduled for November 19, 2021.