Health IT, Payers

Information of nearly half a million Aetna members exposed in email hack

An email hacking incident exposed the information of close to 500,000 Aetna health plan members, the payer reported to HHS last week. The incident occurred when an unauthorized person gained access to an email account of Aetna's vision benefit services provider.

The personal and health information of nearly 500,000 Aetna members was exposed in the summer when an email account of the payer’s vision benefit services provider was hacked.

The payer disclosed the email hacking incident to the Department of Health and Human Services’ Office for Civil Rights last week, reporting that it affected 484,157 health plan members.

On Sept. 28, Aetna was informed that an EyeMed email account was accessed by an unauthorized individual and that phishing emails were sent to addresses contained in the mailbox, Amy Thibault, senior manager of corporate communications at CVS Health, Aetna’s parent, said in an email. Aetna contracts with EyeMed for vision benefit services.

The email account contained information about individuals who previously or currently receive vision-related services through EyeMed, including Aetna customers, Thibault said. The information that may have been accessed included names, addresses, dates of birth and vision insurance accounts/identification numbers. In some cases, full or partial Social Security numbers, birth or marriage certificates, medical diagnoses and conditions, treatment information or financial information may have been accessed.

“It could not be fully determined whether, and to what extent, if any, the unauthorized individual viewed or acquired personal information,” Thibault said. “However, EyeMed and Aetna are not aware of any misuse of information that may have been accessed during this incident.”

The incident was discovered July 1, and on the same day the company blocked the unauthorized individual’s access to the mailbox and secured it, EyeMed said in a statement on its website. It also launched an investigation into the incident and hired a cybersecurity firm.

EyeMed is mailing letters to affected individuals and has established a dedicated call center to answer any questions and concerns. It is also offering free credit monitoring and identity protection services for two years.

“Aetna places the highest priority on protecting the privacy of its customers and takes significant measures to protect private information from unauthorized uses and disclosures,” Thibault said. “We continue to stay in close contact with EyeMed to help ensure it takes the appropriate steps to protect customers’ information.”

This year, the healthcare industry experienced an onslaught of cybersecurity incidents and ransomware attacks, from the malware attack that brought hospital chain Universal Health Services’ technology systems down to the more recent ransomware attack that disrupted UVM Health Network’s IT infrastructure. In October, the Federal Bureau of Investigation, along with two other agencies, released an advisory warning of an “imminent and increased cybercrime threat” to healthcare providers.

Further, email phishing attacks are one of the most common types of cybersecurity incidents in healthcare. More than half of healthcare cybersecurity professionals (57%) said that their organization experienced a phishing attack in the last year, according to recent survey from the Healthcare Information and Management Systems Society.

Photo credit: weerapatkiatdumrong, Getty Images

Shares1
Shares1