Health insurer notifies members after third-party vendor suffers ransomware attack
It appears that a third-party vendor has quietly paid ransom to unidentified threat actors.
In a press release yesterday, Renaissance Life & Health Insurance Company of America says they were notified on June 1 by their vendor, Secure Administrative Solutions LLC (“SAS”), of a ransomware incident that involved unauthorized access to its systems occurred between March 15 and April 15, 2021.
The threat actors were reportedly able to exfiltrate protected health information from SAS, including “names, addresses, dates of birth, health insurance policy numbers, and other health insurance information (e.g., policy type, premium amount, issuance date, etc.).”
But then Renaissance added a sentence to their notification:
Renaissance understands that the exfiltrated information has been destroyed by the unauthorized actor, but that the identity of the unauthorized actor is unknown.
So SAS appears to have paid ransom to threat actors who swore to destroy the data? Of course, that pledge is really worth nothing in terms of assurances to consumers, but Renaissance is letting customers/members know that SAS tried to protect them after the fact, if that counts for anything (and it might count for something if anyone is contemplating litigation).
You can read Renaissance’s full press release here. The incident is not yet up on HHS’s public breach tool, so we do not know the number of their members being notified. Nor do we have any statement from SAS on their web site. An attempt to contact SAS through their web form returned an error message that “The requested URL /contact/submit/ was not found on this server.”
SAS’s list of carrier partners on their web site also includes Cigna.