The victim count for the Horizon Actuarial Services data breach has continued to climb months after the ransomware attack was initially disclosed.
Horizon Actuarial was attacked last November, but the company didn’t discover it had been breached until mid-January and didn’t disclose the incident and resulting exposed data until March 21. The attack on the consulting firm, which provides actuarial services for employer benefits plans, illustrates how far-reaching the effects of a ransomware incident can be.
In recent weeks, more victims have emerged from the Horizon Actuarial data breach, stating that they were among the customers affected by the financial firm’s data breach. In its most recent filing to the Maine attorney general’s office on April 26, Horizon said the number affected rose to 1,312,212, the majority of whom belong to healthcare and benefit plans managed by the group.
Horizon Actuarial’s breach notification said that stolen personal identifying information (PII) could include names, dates of birth, Social Security numbers and health plan information. In the same breach notification, Horizon Actuarial provided the names of all the plans and trusts it manages that have been hit by the data breach. Since the breach was first disclosed by the company on March 21, the number of victim organizations has slowly increased. The notification initially listed just two customers that were affected by the breach; that list has now grown to 33 organizations.
The groups impacted range from local bakery driver unions to national and international plans like the Major League Baseball (MLB) Players Benefit Plan and the National Hockey League Players Association Health and Benefits Fund.
Following the attack, which began on Nov. 10, Horizon Actuarial said that it received an email from threat actors claiming to have stolen data from customers. The company then negotiated with the threat actors and paid a ransom in exchange for a pledge from the threat actors to delete the stolen data. Horizon Actuarial began providing notice of the data breach to affected plans on Jan. 13 and offered to inform individual victims for the plans.
However, individuals belonging to the plans were not informed by Horizon Actuarial until the beginning of March at the earliest, and some far later.
Victim notifications and disclosures
The earliest notice filed with state attorneys general came from the MLB Players Benefit Plan on March 9, which identified more than 13,000 individuals in its plan that were affected by this breach. The first notice filed by Horizon and submitted by COO/CFO Mark Lewis came on March 22, stating that there were 194,195 individuals affected by this data breach.
Over the next few weeks, Horizon Actuarial and its affected customers continued to send notices, increasing the victim pool of this breach. About a month after its first notice, the company sent its letter putting the victim count over 1.3 million. The most recent notifications sent to attorneys general and individual victims have apparently caused issues among those affected. In a class action lawsuit filed on April 19 against Horizon Actuarial, the plaintiff Justin Sherwood claimed that he was not informed he was a victim of the data breach until April 14.
The lawsuit doesn’t just take issue with the timing of the response by Horizon Actuarial but the nature of the data breach as well, similar to the lawsuit filed against Ultimate Kronos Group in March. The members of the class action lawsuit can include anyone in the U.S. who had PII compromised in this data breach, a number than exceeds 1 million individuals.
The lawsuit points to Horizon Actuarial’s alleged lack of preparedness for a data breach as well as the significant time it took to inform individuals affected by it. In addition, the lawsuit states that “defendant also breached its duty to timely and accurately disclose to Plaintiff and the other Class Members that their PII had been or was reasonably believed to have been improperly accessed or stolen.”
The number of victims for the Horizon Actuarial data breach could continue to grow. Since March 22, Horizon has submitted four different notices to Maine’s attorney general, updating the number of victims affected by this data breach each time, with the most recent coming on April 26.
Horizon Actuarial did not respond to requests from comment.