Close Close

Life Health > Health Insurance > Your Practice

Subcontracting complicates Summit Re ransomware outreach

Your article was successfully shared with the contacts you provided.

Insurance regulators in Delaware are worried that consumers affected by a data security incident at Summit Reinsurance Services Inc. may have no idea what Summit Re is.

Summit Re is a health reinsurance and employer stop-loss insurance advisor based in Fort Wayne, Indiana. It’s been part of a life insurance subsidiary of Blue Cross and Blue Shield of South Carolina since 2010.

The company uses health plan enrollees’ personal health information when helping plans get through the reinsurance or stop-loss underwriting process. It found ransomware on a server that may have contained enrollee data, including Social Security numbers and medical claim information, on Aug. 8, 2016.

Related: What every independent agent needs to know about cybersecurity

Summit Re says it has no evidence that anyone has used any information from the server inappropriately, but the company launched an investigation, updated its security procedures, and notified clients of the ransomware attack.

Summit Re says in the ransomware attack notices that it’s offering to provide people potentially affected by the incident with one year of free credit monitoring and free identity restoration services.

“Summit is committed to the security of the personal information in its care and worked, and will continue to work, to enhance the protections in place to protect data,” the company says in the notice.

The list of Summit Re clients with customers getting breach notices includes Highmark Blue Cross Blue Shield of Delaware, Louisiana Health Cooperative Inc., PrimeWest Health of Minnesota, Select Health Network of Indiana and Tufts Health Public Plans Inc., according to company breach notices and press reports.

In Delaware, for example, 19,000 people received breach notices, officials say

Trinidad Navarro, the state’s new insurance commissioner, says he’s worried about what may happen when consumers get letters in the mail from a company that has done business with their health plans, rather than directly with the consumers.

“We fear that many may have misinterpreted or inadvertently discarded the letter as some form of a sales ad (due to the fact that they had not purchased any line of insurance from Summit Re),” Navarro says in a statement.

The Delaware Department of Insurance included Navarro’s statement in a press release the department put out in an effort to get consumers to open the Summit Re breach notice letters.

The Health Insurance Portability and Accountability Act of 1996 created the framework for the current federal health information regulatory system. Congress added breach notification requirements in the Health Information Technology for Economic and Clinical Health Act, part of the American Recovery and Reinvestment Act of 2009. The Office for Civil Rights, part of the U.S. Department of Health and Human Services, established ransomware response guidelines in July 2016.


7 ways ransomware could invade your firm

Medical Reinsurance Reflects Evolving Health Care Market

We’re on Facebook, are you?


© 2023 ALM Global, LLC, All Rights Reserved. Request academic re-use from All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.