Aetna Reports 326,000 Affected by Mailing Vendor Hack

Insurer Says OneTouchPoint Was a Subcontractor
Aetna Reports 326,000 Affected by Mailing Vendor Hack

Health insurer Aetna ACE reported to federal regulators a health data breach affecting nearly 326,000 individuals tied to an apparent ransomware incident involving OneTouchPoint, a subcontractor that provides printing and mailing services to one of the insurer's vendors.

See Also: OnDemand | Defining a Detection & Response Strategy

Wisconsin-based OneTouchPoint last week reported to Maine's attorney general that a hacking incident discovered in April affected nearly 1.1 million individuals.

OneTouchPoint in a statement posted on its website also lists more than 30 health plan clients that were affected by the incident. Aetna ACE was not included in that list.

Nonetheless, Aetna ACE on July 27 reported the OneTouchPoint incident to the Department of Health and Human Services as a HIPAA breach affecting nearly 326,300 individuals.

In a statement provided to Information Security Media Group on Tuesday, Aetna says the affected information may have included names, addresses, dates of birth, and limited medical information.

The incident did not involve any of Aetna's or parent company CVS Health's systems, Aetna adds.

Breaches involving health insurers pose big privacy and security concerns to the protected health information of their members, some expert say.

"Insurance companies typically hold large volumes of individually identifiable data that are valuable to hackers," says Kate Borten, president of privacy and security consulting firm The Marblehead Group.

Previous Mailing Breach

The OneTouchPoint incident is not the first health data breach reported by Aetna involving a vendor that provides printing and mailing services.

A messy 2017 mailing breach affecting 12,000 individuals ended up costing Aetna millions of dollars in regulatory fines and legal settlements (see: Yet Another Twist in Messy Aetna Privacy Breach Case).

That privacy breach occurred during a mailing by a vendor of letters to about 12,000 Aetna plan members in several states to inform them of new options for filling their HIV prescriptions. The members' HIV drug information was potentially visible through that mailing's envelopes, which had transparent windows.

That privacy incident resulted in Aetna paying more than $20 million in legal settlement related to regulatory fines by a few state attorneys general and the resolution of class action lawsuits.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.