Insurer: Breach Undetected for Nine YearsDominion National Says Recently Discovered Incident Dates Back to 2010
A dental and vision insurer's revelation that it recently discovered a 9-year-old data security incident offers an extreme example of the difficulty some organizations have in detecting data breaches.
In a June 21 statement, Arlington, Virginia-based Dominion National says that on April 24, "an investigation of an internal alert" with the assistance of a cybersecurity firm determined that an unauthorized party may have accessed some of its computer servers starting nearly nine years ago.
"The unauthorized access may have occurred as early as August 25, 2010," the statement says. "Dominion National moved quickly to clean the affected servers. Dominion National has no evidence that any information was, in fact, accessed, acquired or misused." Nonetheless, the company is offering those who may have been affected two years of complimentary identity and credit monitoring.
The company's statement does not mention how many individuals were potentially impacted by the incident. The incident is also not yet posted on the Department of Health and Human Services' HIPAA Breach Reporting Tool website that lists health data breaches affecting 500 or more individuals.
Dominion National did not immediately respond to Information Security Media Group's request for additional details about the incident.
Data on Accessed Servers
In its statement, Dominion National says it "has undertaken a comprehensive review of the data stored or potentially accessible" from the exposed servers. It has determined that the data may include enrollment and demographic information for current and former members of Dominion National and Avalon vision, as well as individuals affiliated with the organizations for which Dominion National administers dental and vision benefits.
"The servers may have also contained personal information pertaining to plan producers and participating healthcare providers," the statement notes. "The information varied by individual, but may include names in combination with addresses, email addresses, dates of birth, Social Security numbers, taxpayer identification numbers, bank account and routing numbers, member ID numbers, group numbers and subscriber numbers."
The company says it has contacted the FBI about the incident.
"Given the length of time it has taken the company to detect this breach, the number of impacted patients could be extensive," says Clyde Hewitt, executive adviser at the security consulting firm CynergisTek.
"Dominion National's notification of a breach nine years after the unauthorized access may be an unenviable record for detection."
—Clyde Hewitt, CynergisTek
Because the company also appears to be a third-party administrator to self-funded health plans, the number of other impacted covered entities could grow as well, he adds.
Why So Long?
A recent study by IBM found that, on average, companies take about 197 days to identify a breach and 69 days to contain it.
But much longer lags in detecting breaches are not unusual. For example, the 2014 cyberattack on health insurer Anthem that resulted in a data breach impacting nearly 79 million individuals was determined to have started nearly a year before it was detected and disclosed (see: Analysis: Did Anthem's Security Certification Have Value?).
Outside of the healthcare sector, breach detection delays are also a common challenge. For instance, in 2016, Hutton Hotel, an upscale, 247-room facility in Nashville owned by Carey Watermark Investors, revealed that a string of cyberattacks striking point-of-sale systems compromised its customers' payment card details for more than three years before being detected.
"Most disturbing is that an intruder or a malicious program or code could be into the systems and not previously detected. Nine years is beyond the normal refresh lifecycle for most servers."
—Tom Walsh, tw-Security
But despite the common challenges in detecting data breaches, the nine-year lag time at Dominion National is unusually high, some experts note.
"Dominion National's notification of a breach nine years after the unauthorized access may be an unenviable record for detection," says Hewitt of CynergisTek. "This is unusual because it strongly suggests that they may not have been performing comprehensive security audits or performing system activity reviews."
Tom Walsh, president of the consultancy tw-Security, notes: "I am surprised that they detected it dating that far back. Most organizations do not retain audit logs or event logs for that long.
"Most disturbing is that an intruder or a malicious program or code could be into the systems and not previously detected. Nine years is beyond the normal refresh lifecycle for most servers. I would have thought that it could have been detected during an upgrade or a refresh of the hardware."
Walsh adds that it is still unclear whether the incident is reportable under the HIPAA Breach Notification Rule. "They [Dominion National] were careful in stating that there is no evidence to indicate that data was even accessed," he notes.
Regardless, organizations who report breaches after lengthy delays generally fit into one of two groups, Hewitt contends.
"First, there are organizations that make a conscious decision to underfund their security program to the point that it is incapable of implementing a well-balanced security program being capable of detecting incidents. These organizations may be resource limited or simply haven't translated security into business impacts," he says.
The second group includes organizations with security staff that are "over confident in their own abilities and are unwilling or unable to report the true security posture to senior leadership," Hewitt adds.
"This second scenario is common when security responsibilities are assigned to the CIO without having an independent security leader to balance the discussion," he says. "It is also common when individuals are filling security roles without the benefit of appropriate training."
So what can healthcare sector entities do to improve the timeliness of breach detection?
"Review event logs on a routine basis - or better yet, monitor in real time using behavioral analytics or artificial intelligence systems," Walsh suggests.
"There are security monitoring services available to assist with log review/monitoring. Dedicating a network engineer for the sole purpose of reviewing logs is not a good use of their time - thus, the growing service sector for log monitoring services."
Hewitt notes that timely incident detection starts with establishing a robust risk analysis program.
"All potential threat vectors should be documented and also include some type of control monitoring that can detect anomalies and alert staff," he says. "For external threat sources, such as hacking and malware, organizations should implement a security operations center monitored 24x7."
Organizations also should implement a formal incident response program "that goes beyond the traditional IT department, including other executives and their departments," Hewitt says.