The following is part of Relation Insurance’s disclosure notice, published February 13 on their site:
What Happened? Relation Insurance Inc. (“Relation”) provides insurance brokerage services working with certain insurance providers, and we are issuing notice of a recent event that may impact the privacy of certain personal information. To date, Relation has not received any reports that personal information has been misused as a result of this event.
On August 15, 2019, Relation became aware of unusual activity in an employee’s email account. We immediately secured the employee’s email account and launched an investigation, with the assistance of a third-party computer forensics specialists, to determine what may have happened and what information may have been affected. Our investigation determined that an unknown individual had access to the email account between August 14th and August 15th of 2019. We then undertook a comprehensive review of emails that were present in the account at the time of the incident to identify what personal information was stored within the emails and to whom that information relates. On October 16, 2019, Relation confirmed personal information was present in the email account and began review its files to determine which business partners were associated with this information. On December 13, 2019, Relation provided notice of this incident to its insurance provider partners. Although we are unaware of any actual or attempted misuse of any personal information, we are providing this notification out of an abundance of caution.
What Information Was Involved? The potentially affected information varied by carrier and individual. The information that may have been present in the email account at the time of the incident included the following identifiers: name, address, telephone number, email address, date of birth, Social Security number, passport number, driver’s license or state issued identification number, copy of marriage or birth certificate, account and routing number, financial institution name, credit/debit card number, PIN, expiration date, treatment information, prescription information, provider name, medical record number, patient ID, health insurance information, treatment cost, medical history, mental or physical condition, diagnosis code, procedure type, procedure code, treatment location, admission date, discharge date, medical device number, and date of death.
What Are We Doing? Information privacy and security are among our highest priorities. Relation has strict security measures in place to protect information in our care. Upon discovering this incident, we immediately took steps to confirm the security of our systems, including our employee email accounts. We reviewed existing security policies and implemented additional measures to further protect information, including enhanced email security. We also reported this incident to law enforcement.
You can read the full notification here, but it seems that once again, we are seeing notifications made months after discovery of an incident — in this case, six months until public disclosure. Now some will argue that the breach wasn’t discovered until October 16 when they discovered/learned that the email account had personal information in it, but why did it take two months to discover that? Some of these delays simply do not sound totally reasonable in the absence of any explanation for delays.