Aetna Reports 326,000 Affected by Mailing Vendor Hack
Insurer Says OneTouchPoint Was a SubcontractorHealth insurer Aetna ACE reported to federal regulators a health data breach affecting nearly 326,000 individuals tied to an apparent ransomware incident involving OneTouchPoint, a subcontractor that provides printing and mailing services to one of the insurer's vendors.
See Also: Preparing for New Cybersecurity Reporting Requirements
Wisconsin-based OneTouchPoint last week reported to Maine's attorney general that a hacking incident discovered in April affected nearly 1.1 million individuals.
OneTouchPoint in a statement posted on its website also lists more than 30 health plan clients that were affected by the incident. Aetna ACE was not included in that list.
Nonetheless, Aetna ACE on July 27 reported the OneTouchPoint incident to the Department of Health and Human Services as a HIPAA breach affecting nearly 326,300 individuals.
In a statement provided to Information Security Media Group on Tuesday, Aetna says the affected information may have included names, addresses, dates of birth, and limited medical information.
The incident did not involve any of Aetna's or parent company CVS Health's systems, Aetna adds.
Breaches involving health insurers pose big privacy and security concerns to the protected health information of their members, some expert say.
"Insurance companies typically hold large volumes of individually identifiable data that are valuable to hackers," says Kate Borten, president of privacy and security consulting firm The Marblehead Group.
Previous Mailing Breach
The OneTouchPoint incident is not the first health data breach reported by Aetna involving a vendor that provides printing and mailing services.
A messy 2017 mailing breach affecting 12,000 individuals ended up costing Aetna millions of dollars in regulatory fines and legal settlements (see: Yet Another Twist in Messy Aetna Privacy Breach Case).
That privacy breach occurred during a mailing by a vendor of letters to about 12,000 Aetna plan members in several states to inform them of new options for filling their HIV prescriptions. The members' HIV drug information was potentially visible through that mailing's envelopes, which had transparent windows.
That privacy incident resulted in Aetna paying more than $20 million in legal settlement related to regulatory fines by a few state attorneys general and the resolution of class action lawsuits.