Aetna has reported that over 484,000 of its members were affected by a data breach that occurred at a business associate offering services for its vision benefits plan members. In July 2020, an unauthorized person acquired access to an email account of a staff of EyeMed based in Cincinnati and utilized it for sending other phishing emails to people listed in the mailbox’s address book.
EyeMed looked into the breach and confirmed that the mailbox stored the protected health information (PHI) of 484,157 Aetna members, close to 1,300 members of Blue Cross Blue Shield of Tennessee, and 60,545 members of Tufts Health Plan. There is no proof found that indicates the theft or misuse of data. Still, it can’t be 100% certain that there was no data theft. Affected health plans received notifications about the breach in September.
The compromised email account included data like members’ names, birth dates, health insurance ID numbers, vision insurance ID numbers, and the Social Security numbers, birth certificates, diagnoses, and financial information for some persons. The breach just impacted current and past members of the health plans noted above that obtained vision benefits via EyeMed.
An EyeMed spokesperson stated that it has taken immediate action to strengthen security and gave security awareness training to help avert the same data breach from occurring again.
BEC Attack on Midwest Geriatric Management Affects 4,800 People
Midwest Geriatric Management (MGM) Healthcare has informed 4,814 persons that a selection of their PHI was possibly exposed because of a business email compromise attack. A scammer imitated the CFO and sent an email message to an MGM employee asking for a spreadsheet to be sent through email. Thinking the request was authentic, the personnel responded and provided the sheet.
Email security features were set up that should prohibit attacks such as this, however in this instance those security features were bypassed. The spreadsheet included names, account balances, and the name of the pertinent center. No other data was breached.
MGM’s investigation showed that this was a separate case and no other parts were affected. Additional training was offered to staff about email security and, as a safety measure, all impacted people got a free myTrueIdentity identity theft protection services membership.
TennCare Mailing Vendor Breach Affects 3,300 Members
The state Medicaid health plan of Tennessee, TennCare, has reported a mailing error by a vendor that resulted in the exposure of some of the PHI of roughly 3,300 members.
Gainwell, which operates TennCare’s Medicaid Management Information System, found out that the mailing vendor Axis Direct dispatched messages to TennCare members in late 2019 and 2020 that was misaddressed and delivered to the wrong recipients.
TennCare received advice regarding the breach on October 23, 2020. Gainwell assured TennCare that it has identified the cause of the error and has taken steps to avoid similar incidents later on. Affected people received free credit monitoring services membership.