An American insurance company has been fined $1m over three data breaches that occurred over a six-month period in 2017.
Aetna agreed to the fine and to the adoption of a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. The payment will go to the Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS).
On April 27, 2017, Aetna discovered that two web services used to display plan-related documents to health plan members had allowed documents to be accessible without login credentials. As a result of this breach, the sensitive data of 5,002 individuals was exposed.
Protected health information (PHI) disclosed in the incident included names, insurance identification numbers, claim payment amounts, procedure service codes, and dates of service.
Aetna experienced a second data breach on July 28, 2017, when benefit notices mailed out to members in window envelopes displayed the words "HIV medication" next to the member's name and address. A breach report submitted to OCR in August stated that 11,887 individuals were affected by this disclosure.
The third 2017 breach that hit Aetna happened on September 25, when a research study mailing sent to members displayed the name and logo of the atrial fibrillation (irregular heartbeat) research study in which they were participating on the envelope. Aetna reported in November 2017 that 1,600 individuals were affected by this breach.
OCR's investigation into the breaches found that in addition to the impermissible disclosures, Aetna "failed to perform periodic technical and nontechnical evaluations of operational changes affecting the security of their electronic PHI."
"Unfortunately, on numerous occasions where it would have cost the organization several thousands of dollars for technology or training, the decision was made not to purchase the product or service," James McQuiggan, security awareness advocate at KnowBe4, told Infosecurity Magazine.
"These decisions come back around later after a data breach that costs millions in lost productivity, revenue, and fines. Organizations need to have a robust security awareness training program to help employees make smarter security decisions to protect an organization from various attacks.”