(The Center Square) — More than 32,000 Delaware residents may have had their personal financial information compromised in recent data breaches involving insurance carriers and third-party companies, according to state regulators.
The state Department of Insurance announced that it has received more reports from insurers about data breaches, including consumers affected by a Russian ransomware gang’s so-called “supply chain hack” of the file transfer software MOVEit, used by many third-party insurance vendors.
The list of agencies which potentially had their data compromised includes 8,880 customers of the Teachers Insurance and Annuity Association; 8,000 customers of Genworth Financial and about 1,300 Humana customers, according to the state agency.
The agency warned Delawareans who are agents, policyholders or beneficiaries of the 16 agencies should be aware that their data may have been compromised and should watch for notification.
Insurance Commissioner Trinidad Navarro pledged to “thoroughly investigate” the data breaches and “assess if appropriate safeguards were in place” to prevent the hacks from occurring.
“I take any breach of personal information very seriously, and encourage consumers affected to utilize the identity and credit protection services offered,” he said in a statement.
The notice follows a similar one in June in response to a data breach involving a third-party vendor for Genworth Financial, who that a hack had impacted the personal information of an estimated 2.5 to 2.7 million people, including roughly 8,000 Delaware residents.
Regulators said the company disclosed that the information may have included agents, policyholders and beneficiaries’ data, including names, contact information, dates of birth, social security numbers and policy numbers.
The company has set up a website providing information for customers affected by the breach and offers free services such as fraud consultation and identity theft restoration services.
Under Delaware’s Insurance Data Security Act, the state is required to investigate and fix compromised information systems and notify consumers within 60 days, unless federal law or law enforcement agencies request a delay in disclosing the breach.
The law also requires consumers to provide credit monitoring services at no cost for at least one year and receive information about how to freeze their credit.
Insurance companies that store large amounts of personal financial information, including Social Security numbers and bank accounts, have become a frequent target for criminal gangs that use malware and other sophisticated hacking technologies to infiltrate computer systems and steal data.
The breach of the MOVEit file-transfer program is estimated to have compromised hundreds of companies and entities, including the U.S. Department of Energy, Johns Hopkins University and California’s multibillion-dollar pension system.
