Regular readers will realize that I’ve been reporting on the Summit Reinsurance breach since it first appeared in a covered entity’s disclosure back in November. Since then, I’ve been compiling and/or reporting on other entities affected by the ransomware attack that they discovered August 8, 2016.
So seven months after discovery, they are first issuing a public notice? Perhaps they couldn’t reach all of their clients’ members or patients. In any event, here’s how their notification begins:
FORT WAYNE, Ind., March 13, 2017 /PRNewswire/ — Summit Reinsurance Services, Inc. discovered an event that may affect the security of certain individuals’ personal information. Summit provides reinsurance and employer stop-loss underwriting services to certain insurance companies and has individuals’ information because of the services Summit provides.
What Happened? On August 8, 2016, Summit discovered that ransomware had infected a server containing certain personal information. Summit immediately launched an investigation to determine the nature and scope of this event and to prevent the encryption of data contained on the server. Based on the forensic investigation, it appears that the unauthorized access to the server first occurred on or around March 13, 2016.
What Information Was Involved? The information contained on the affected server may have included name, Social Security number, health insurance information, provider’s name, and/or claim-focused medical records containing diagnosis and clinical information.
What We Are Doing. To date, Summit has no direct evidence that data from the affected server has been used inappropriately. Nevertheless, in an abundance of caution, Summit, on behalf of certain affected health plans and self-funded employer groups, is notifying affected individuals of this incident. Summit is also providing information that can be used to better protect against identity theft and fraud, as well as access to one year of credit monitoring and identity restoration services at no cost to the individual. Summit is committed to the security of the personal information in its care and has worked, and will continue to work, to enhance the protections in place to protect data.
What You Can Do. You can review the information Summit is providing on steps individuals can take to protect against identity theft and fraud.
For More Information. If you believe you have been affected by this incident, please call (877) 215-9747, Monday through Friday, 9 a.m. to 7 p.m. EST (closed on U.S. observed holidays) and provide Reference Number 2996113016.
Full press release available here.