The cyberattack mostly impacted members of Vermont Blue Advantage
By Tiffany Tan/VTDigger
The personal information of at least 16,000 Vermont health insurance customers was stolen in a cyberattack in January — more than twice the number originally reported.
The affected people included over 14,000 Vermont residents, of whom 13,700 were members of Vermont Blue Advantage health insurance plans, the state Attorney General’s Office said this week.
It said the other residents were on different insurance plans: nearly 300 with Aetna ACE and about 50 with UAW Retiree Medical Benefits Trust.
Another roughly 2,250 individuals were members of Vermont Blue Advantage who lived out of state, according to Blue Cross Blue Shield of Vermont, an owner of the privately managed Medicare Part C plan. The company said that, nationwide, the cyberattack affected thousands of organizations and millions of people.
VTDigger reported earlier this month that the Jan. 30 data breach of an IT management software company, Fortra LLC, compromised the personal information of 7,000 retired Vermont teachers who were members of Vermont Blue Advantage, based on information from the state treasurer’s office. (Fortra provided software that Vermont Blue Advantage used to exchange files with its supplemental benefits administrator, NationsBenefits.)
After the story was published, VTDigger received multiple messages from Vermont retirees affected by the data breach — people who were not retired teachers and wondered about the extent of the breach within the state.
The state Attorney General’s Office didn’t learn until May 26 that over 14,000 Vermont residents were involved, said spokesperson Lauren Jandl.
Blue Cross Vermont said the company didn’t inform the state Department of Financial Regulation of the data breach until late last Thursday, because of a miscommunication between it and NationsBenefits about who was going to contact the department.
Blue Cross spokesperson Sara Teachout said NationsBenefits had sent a letter to each affected member, detailing what personal information was stolen in the data breach.
She said that information included names, dates of birth, addresses, medical and insurance details and, for 5% of the affected customers, their bank information. The company said no Social Security numbers or credit card numbers were taken.
When asked why NationsBenefits sent the notification letters — which some recipients initially thought was junk mail because they had never dealt with that entity — Teachout said that was NationsBenefits’ responsibility in the incident.
“As the company that experienced the cyberattack and resulting data breach, NationsBenefits is responsible for notifying impacted parties,” she said in an email.
Teachout said NationsBenefits, Blue Cross and Vermont Blue Advantage also reported the breach to the Office for