Cyber Incident Victim: Summit Reinsurance Services Inc.
Date:
Dec 2016
Location:
United States of America
Summary
A cybersecurity breach at Summit Reinsurance Services Inc. potentially exposed sensitive personal and medical information of approximately 1,000 current and former employees of Black Hawk College and their dependents. The incident involved unauthorized access to Summit's servers, compromising names, Social Security numbers, health insurance details, and medical records. The affected individuals were notified of the potential data exposure stemming from the third-party insurance provider's compromised systems.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In December 2016, Summit Reinsurance Services Inc., a former insurance provider for Black Hawk College (BHC), experienced a security breach involving unauthorized access to its servers. The breach occurred when Summit’s systems were infected by malicious software, potentially exposing sensitive information belonging to approximately 1,000 current and former employees of Black Hawk College. The compromised data included full names, Social Security numbers, health insurance details, and medical records. The incident also extended to dependents of these employees, whose personal and medical information may have been accessed. Summit Reinsurance Services identified the server infection and subsequently notified Black Hawk College about the potential data exposure. The breach did not originate from Black Hawk College’s own systems but stemmed exclusively from Summit’s infrastructure, which stored historical employee benefit information. No specific details about the attack vector, duration of unauthorized access, or identity of the threat actors were disclosed in the notification.
Black Hawk College publicly disclosed the incident through a news release after being informed by Summit Reinsurance Services. The college confirmed that the breach exclusively impacted individuals associated with its employment records held by Summit, with no evidence suggesting misuse of the exposed data at the time of disclosure. Summit’s notification did not specify whether regulatory agencies or law enforcement were involved in investigating the breach. The compromised medical and insurance records created heightened risks of identity theft and medical fraud for affected employees and their dependents. No remediation or credit monitoring services for victims were mentioned in the initial college statement. The disclosure emphasized the potential scale of the incident due to the inclusion of dependent data but provided no further technical details about Summit’s security measures or post-breach corrective actions.