Cyber Incident Victim: Dominion Resources

In March 2014, an attacker breached systems belonging to Onsite Health Diagnostics, a subcontractor handling online health-screening appointments for Dominion Resources' employee wellness program. The intrusion, which occurred on March 25, exposed personal information of approximately 1,700 individuals associated with Dominion Resources, including employees and their spouses or domestic partners who had scheduled appointments through the system. Compromised data consisted of names, addresses, email addresses, phone numbers, genders, dates of birth, and encrypted passwords used for Onsite Health Diagnostics' platform. The breach remained undetected for nearly three months before discovery. Dominion Resources, a Virginia-based energy company, was not directly compromised, as the incident originated within its subcontractor's infrastructure.

Onsite Health Diagnostics notified StayWell Health Management, Dominion's wellness program vendor, about the breach on June 16, 2014. Dominion Resources learned of the incident eight days later on June 24, with specific identities of affected individuals confirmed by July 7. The company promptly notified all impacted parties and advised them to change their usernames and passwords as a precautionary measure. Dominion also offered affected individuals complimentary credit monitoring services for one year. As a direct consequence of the breach, Dominion terminated its relationship with Onsite Health Diagnostics for scheduling services. Company spokesperson C. Ryan Frazier confirmed Dominion was conducting a thorough review of all similar vendor relationships to assess security practices. The delayed discovery timeline—from March intrusion to July notifications—highlighted vulnerabilities in third-party system monitoring.