The personal information of at least 16,000 Vermont health insurance customers was stolen in a cyberattack in January — more than twice the number originally reported.
The affected people included over 14,000 Vermont residents, of whom 13,700 were members of Vermont Blue Advantage health insurance plans, the state Attorney General’s Office said in response to a VTDigger inquiry.
It said the other residents were on different insurance plans: nearly 300 with Aetna ACE and about 50 with UAW Retiree Medical Benefits Trust.
Another roughly 2,250 individuals were members of Vermont Blue Advantage who lived out of state, according to Blue Cross Blue Shield of Vermont, an owner of the privately managed Medicare Part C plan. The company said that, nationwide, the cyberattack affected thousands of organizations and millions of people.
VTDigger reported earlier this month that the Jan. 30 data breach of an IT management software company, Fortra LLC, compromised the personal information of 7,000 retired Vermont teachers who were members of Vermont Blue Advantage, based on information from the state treasurer’s office. (Fortra provided software that Vermont Blue Advantage used to exchange files with its supplemental benefits administrator, NationsBenefits.)
After the story was published, VTDigger received multiple messages from Vermont retirees affected by the data breach — people who were not retired teachers and wondered about the extent of the breach within the state.
The state Attorney General’s Office didn’t learn until May 26 that over 14,000 Vermont residents were involved, said spokesperson Lauren Jandl.
Blue Cross Vermont said the company didn’t inform the state Department of Financial Regulation of the data breach until late last Thursday, because of a miscommunication between it and NationsBenefits about who was going to contact the department.
Blue Cross spokesperson Sara Teachout said NationsBenefits had sent a letter to each affected member, detailing what personal information was stolen in the data breach.
She said that information included names, dates of birth, addresses, medical and insurance details and, for 5% of the affected customers, their bank information. The company said no Social Security numbers or credit card numbers were taken.
When asked why NationsBenefits sent the notification letters — which some recipients initially thought was junk mail because they had never dealt with that entity — Teachout said that was NationsBenefits’ responsibility in the incident.
“As the company that experienced the cyberattack and resulting data breach, NationsBenefits is responsible for notifying impacted parties,” she said in an email.
Teachout said NationsBenefits, Blue Cross and Vermont Blue Advantage also reported the breach to the Office for Civil Rights of the U.S. Department of Health and Human Services, as well as the FBI.
When asked whether the Attorney General’s Office issued a press release about the thousands of residents affected by the breach, Jandl said the office publishes on its website a copy of notice letters that companies provide customers when they experience data breaches. She said that included NationsBenefits’ initial notification in April.
Jandl said the attorney general’s office receives 30 to 40 data breach notices a month, or five to 10 a week. Last year, she said, the largest single breach involved 50,000 Vermonters.
Officials earlier said the identity of the cyber attackers remained unknown and police are investigating.
Jandl said Vermonters with questions or concerns about identity theft can contact the office of the attorney general’s consumer assistance program at 800-649-2424 or ago.vermont.gov/cap.
Meanwhile, NationsBenefits is offering all affected individuals 24 months of free identity protection. That includes credit monitoring, identity theft resolution and $1 million in identity theft insurance.
NationsBenefits said it learned about the data breach at Fortra on Feb. 7, about a week after it occurred. In a statement, NationsBenefits said it has stopped using Fortra’s software and is putting more security procedures in place.