The breach involved Summit Reinsurance Services and BCS Financial Corporation, subcontractors of Highmark Blue Cross Blue Shield of Delaware.
Karen Kane, director of privacy and information management for Highmark Blue Cross Blue Shield of Delaware revealed that the breach has impacted 16 current and former Highmark self-insured customers and approximately 19,000 members.
A letter sent to consumers by Summit Re states that leaked information could include names, social security numbers, health insurance information, provider’s name, and/or claim-focused medical records containing diagnosis and clinical information.
Trinidad Navarro, insurance commissioner of Delaware, has ordered an investigation into the reported breach.
The letter also suggests that, although Summit Re discovered ransomware on 8 August last year, during an “ongoing investigation”, the unauthorised access first occurred on 12 March 2016.
However, it notes that: “To date, we have found no direct evidence of actual or attempted misuse of personal information on the affected server as a result of this incident.”
In response to the data breach, Navarro reassured consumers that the department “takes this matter seriously and is currently investigating how this occurred”.
Navarro said: “I have directed my staff to closely monitor the situation as it develops. Many Delawareans have received mailed correspondence from Summit Re explaining the breach. Unfortunately, we fear that many may have misinterpreted or inadvertently discarded the letter as some form of a sales ad, due to the fact that they had not purchased any line of insurance from Summit Re.”
According to the Delaware Department of Insurance, Highmark Blue Cross Blue Shield of Delaware is cooperating with the Delaware Department of Insurance to resolve the matter.