Nearly 500K Aetna members affected by EyeMed security incident

Aetna, which contracts with EyeMed to provide vision benefit services for members, said an EyeMed email mailbox was accessed by an unauthorized individual earlier this year.
By Kat Jercich
02:25 PM

"Aetna Office Bldg II" by Montgomery County Planning Commission, licensed under CC BY-SA 2.0

Aetna this past week reported that 484,157 members had been affected by an email-hacking incident over the summer.

The incident, which was reported to the U.S. Department of Health and Human Services' Office of Civil Rights on Tuesday, stemmed from an unauthorized individual accessing an EyeMed email account. Aetna contracts with EyeMed to provide vision benefit services for members.  

"Aetna was informed on September 28, 2020, that an EyeMed email box was accessed by an unauthorized individual and that phishing emails were sent to email addresses contained in the mailbox’s address book," said an Aetna representative in a statement to Healthcare IT News.  

"The mailbox contained information about individuals who formerly or currently receive vision-related services through EyeMed, including Aetna customers," the representative continued.

That information may have included name, address, date of birth, vision insurance account number, and – in some circumstances – social security number, birth or marriage certificate, medical diagnosis and treatment information, they said.  

WHY IT MATTERS  

According to a statement posted on EyeMed's website, the company discovered that the email mailbox had been compromised on July 1. That day, EyeMed blocked access to the mailbox and secured it.   

Aetna says that EyeMed hired a cybersecurity firm to assist in its efforts with investigating the incident and that it took "immediate steps" to enhance protections already in place.

EyeMed says it is providing additional security awareness training and that it has mailed letters to affected individuals.  

"It could not be fully determined whether, and to what extent, if any, the unauthorized individual viewed or acquired personal information," an Aetna representative told Healthcare IT News. "However, EyeMed and Aetna are not aware of any misuse of information that may have been accessed during this incident."

THE LARGER TREND

The incident is just another in a string of recent high-profile security breaches targeting the healthcare industry.

Phishing and ransomware campaigns, already on the rise, got an additional energy boost from COVID-19, with an at-home workforce, fears around the virus and employee incaution all potentially contributing to gaps in security.

The trend is unlikely to abate. Experts say to expect much of the same in 2021 fueled by hunger for knowledge about coronavirus vaccines.

ON THE RECORD  

"Aetna places the highest priority on protecting the privacy of its customers and takes significant measures to protect private information from unauthorized uses and disclosures," said the Aetna spokesperson. "We continue to stay in close contact with EyeMed to help ensure it takes the appropriate steps to protect customers’ information."

 

Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Email: kjercich@himss.org
Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.