The health insurance provider Aetna ACE recently announced being impacted by a ransomware attack on a mailing vendor resulting in the breach of protected health information (PHI) of 326,278 plan members. Aetna stated the breach only affected persons insured with Aetna ACE, and it did not affect any PHI of persons served by CVS Health or Aetna.
The ransomware attack impacted OneTouchPoint, which offers printing and mailing solutions to U.S. organizations, which include billing providers employed by healthcare companies. OneTouchPoint gets access to contact data and some other data types to deliver its contracted solutions. On April 28, 2022, OneTouchPoint found out that files were encrypted on its systems. The unauthorized access happened a day before April 27, 2022.
Third-party cybersecurity experts were hired to look into the security breach. The investigation concluded on June 1, 2022, however, it was not determined which particular files had been exfiltrated from its network. Impacted customers had been informed on June 3, 2022, and OneTouchPoint is determining which of the customers’ data was possibly accessed or extracted from its systems. The compromised and possibly stolen information may have included names, addresses, birth dates, member IDs, and some medical data.
OneTouchPoint stated it offered to mail notification letters to all impacted persons; nonetheless, a few of its clients opted to self-report the data breach and mail the notification letters themselves. OneTouchPoint has submitted the breach report to the Maine Attorney general on behalf of 30 health plans stating that 1,073,316 persons were impacted. Aetna ACE opted to self-report the data breach. Other health plans impacted by the ransomware attack on OneTouchPoint include Anthem, Kaiser Permanente, Humana, Health First, Geisinger, UPMC Health Plan, Blue Cross and Blue Shield of Alabama, Blue Shield of California Promise Health, and other affiliated health plans of Blue Cross Blue Shield.
This is not the first time Aetna ACE experienced data breaches at business associates. A business associate phishing attack in 2020 exposed the PHI of 484,157 plan members of Aetna ACE. Because of the response made by a staff member of vendor EyeMed to a phishing email, unauthorized persons got access to email accounts that held the PHI of 2.1 million persons. EyeMed had to pay a $600,000 fine to the New York State Attorney General for security violations that resulted in the data breach.
Aetna furthermore encountered another mailing-associated data breach in 2017, which impacted 12,000 persons. In that instance, a mailing was delivered to members to let them know about the various options available for getting prescriptions for their HIV drugs. But window envelopes were used and so the HIV drug details could be read by anyone who would know that the recipient members were getting treatment for HIV or were given HIV medicines to avoid infection. State attorneys general investigated Aetna in this case. Aetna had to pay over $2,725,000 million in penalties to settle the case. A $1,000,000 fine was additionally enforced by the HHS’ Office for Civil Rights, and Aetna resolved a $17 million class action lawsuit.