Triple Data Breach Earns Insurer $1m Fine
An American insurance company has been fined $1m over three data breaches that occurred over a six-month period in 2017.
Aetna agreed to the fine and to the adoption of a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. The payment will go to the Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS).
On April 27, 2017, Aetna discovered that two web services used to display plan-related documents to health plan members had allowed documents to be accessible without login credentials. As a result of this breach, the sensitive data of 5,002 individuals was exposed.
Protected health information (PHI) disclosed in the incident included names, insurance identification numbers, claim payment amounts, procedure service codes, and dates of service.
Aetna experienced a second data breach on July 28, 2017, when benefit notices mailed out to members in window envelopes displayed the words "HIV medication" next to the member's name and address. A breach report submitted to OCR in August stated that 11,887 individuals were affected by this disclosure.
The third 2017 breach that hit Aetna happened on September 25, when a research study mailing sent to members displayed the name and logo of the atrial fibrillation (irregular heartbeat) research study in which they were participating on the envelope. Aetna reported in November 2017 that 1,600 individuals were affected by this breach.