Personal information of 1,700 people in Dominion Resources Inc.’s employee wellness plan was hacked in March, according to the program’s contractor.
Those affected were notified Friday.
The hacker gained access through a subcontractor’s system to get individuals’ names, addresses, email addresses, phone numbers, gender and dates of birth, StayWell Health Management LLC said in a statement Tuesday.
Salt Lake City-based StayWell also said the hacker accessed password information for the system of subcontractor Onsite Health Diagnostics, though the passwords themselves were encrypted.
The breach involves information belonging to Dominion Resources’ employees, spouses and domestic partners who went online to schedule a health-screening appointment going back to 2012, the energy company said, including about 1,100 people in Virginia.
“Dominion regrets the data breach at a third-party vendor,” Dominion Resources spokesman C. Ryan Frazier said Tuesday. “We are taking this matter seriously and are conducting a thorough review of all of these types of vendors.”
To their knowledge, the hacked information hasn’t been further misused, Dominion Resources and StayWell said.
Richmond-based Dominion Resources has advised those affected by the breach to change their usernames and passwords, he said. The company also is offering them a free one-year membership in a program that protects employees through credit monitoring.
StayWell is Dominion Resources’ vendor for its “Well on Your Way” program, which includes a health screening. Onsite Health Diagnostics, based in Irvine, Texas, provided the sign-up mechanism for the program’s health-screening appointments.
Onsite Health Diagnostics did not respond Tuesday for a request for comment.
According to StayWell, Onsite Health Diagnostics said the breach occurred March 25 but wasn’t discovered immediately.
After discovering the hacking, Onsite Health Diagnostics notified StayWell on June 16, StayWell said.
Dominion Resources said the company was notified of the breach on June 24 but didn’t learn the identities of those affected until July 7.
Frazier said Dominion Resources is investigating why it took so long for the company to be alerted, adding that they are no longer using Onsite Health Diagnostics for scheduling.