Triple Data Breach Earns Insurer $1m Fine

  • An American insurance coverage company has been fined $1m over three knowledge breaches that occurred over a 6-thirty day period time period in 2017.

    Aetna agreed to the high-quality and to the adoption of a corrective action plan to settle potential violations of the Wellness Insurance policy Portability and Accountability Act (HIPAA) Privacy and Security Guidelines. The payment will go to the Workplace for Civil Legal rights (OCR) at the US Department of Overall health and Human Expert services (HHS).

    On April 27, 2017, Aetna uncovered that two web services utilised to screen plan-linked paperwork to health and fitness plan customers had authorized documents to be available with out login credentials. As a final result of this breach, the sensitive information of 5,002 men and women was exposed.

    Guarded wellbeing information (PHI) disclosed in the incident integrated names, insurance identification figures, claim payment quantities, procedure service codes, and dates of support.

    Aetna expert a next data breach on July 28, 2017, when advantage notices mailed out to customers in window envelopes displayed the words and phrases “HIV medicine” subsequent to the member’s name and tackle. A breach report submitted to OCR in August stated that 11,887 individuals were influenced by this disclosure.

    The third 2017 breach that strike Aetna transpired on September 25, when a investigation study mailing sent to customers shown the identify and logo of the atrial fibrillation (irregular heartbeat) investigation review in which they have been participating on the envelope. Aetna described in November 2017 that 1,600 individuals have been impacted by this breach.

    OCR’s investigation into the breaches observed that in addition to the impermissible disclosures, Aetna “failed to accomplish periodic specialized and nontechnical evaluations of operational variations affecting the security of their electronic PHI.”

    “Regrettably, on many events where it would have value the organization various thousands of dollars for technology or schooling, the choice was created not to order the merchandise or service,” James McQuiggan, security awareness advocate at KnowBe4, told Infosecurity Magazine.

    “These selections come again all over later on right after a facts breach that fees hundreds of thousands in shed productiveness, earnings, and fines. Organizations need to have to have a sturdy security recognition coaching software to assist personnel make smarter security conclusions to defend an corporation from a variety of attacks.”