Providence Health Plan is notifying about 122,000 members that their personal information may have been exposed in a security breach at the program’s dental plan administrator, Virginia-based Dominion National.
Oregon-based Providence Health Plan—the insurance arm of the Providence Health and Services delivery system—was notified by Dominion National, an administrator of dental benefits, of possible unauthorized access to its computer servers. The timing of the breach may have started nine years ago, Providence Health Plan said in a statement on its website.
On April 24, 2019, Dominion National was investigating an internal alert and determined that an unauthorized party may have accessed some of their computer servers. The unauthorized access may have occurred as early as August 25, 2010, Providence Health Plan said.
"Upon learning of this information, Dominion National notified law enforcement, moved quickly to clean the affected servers, implemented enhanced monitoring software and launched an investigation with the assistance of a leading cybersecurity firm," Providence said.
The Oregonian reported that the security breach could impact as many as 122,000 Providence Health Plan members. Providence Health Plan did not immediately respond to a request for comment.
The data stored or potentially accessible from Dominion National’s computer servers may have included enrollment and demographic information for current and former members of Providence Health Plan’s dental program. The information may include names, addresses, email addresses, dates of birth, Social Security numbers, member identification numbers, group numbers and subscriber numbers, Providence Health Plan said.
There is no evidence that any information was actually viewed, accessed or has been misused, the organizations said.
Dominion National, on behalf of Providence Health Plan, is notifying potentially affected members.
Healthcare data breaches involving third-party vendors are on the rise. More than half of hospitals (56%) have experienced one or more vendor-related data breaches in the past two years, at an average cost of $2.9 million, according to a Ponemon report. A massive data breach at a third-party billing collections firm, the American Medical Collection Agency (AMCA), impacted at least four clinical labs and potentially exposed over 22 million patients' data.
Healthcare organizations need to properly manage third-party security risks to protect patients and members' data, cybersecurity experts say.
The organizations are recommending customers to monitor their insurance statements and explanation of benefits forms for unauthorized activity. Dominion National is offering affected customers two years of free credit monitoring and fraud protection services.
The plan administrator sent an ambiguous letter to Providence customers this month saying an unauthorized party may have accessed its computer servers and personal information, the Oregonian reported. "The security problem did not occur on Providence servers but could affect some 2.9 million individuals nationwide whose insurance plans use Dominion as an administrator," according to the Oregonian article.
Gary Walker, a spokesman for Providence, said the company has only been using Dominion as an administrator since 2015, so its customers’ potential exposure was for a shorter period, the Oregonian reported.