Aetna has announced more than 484,000 of its members have been impacted by a data breach at a business associate that provides services for members of its vision benefits plans. In July 2020, an unauthorized individual gained access to an email account of an employee of Cincinnati-based EyeMed and used the email account to send further phishing emails to individuals in the address book of the mailbox.
EyeMed investigated the breach and determined the mailbox contained the protected health information of 484,157 Aetna members, 60,545 members of Tufts Health Plan, and around 1,300 members of Blue Cross Blue Shield of Tennessee. No evidence of data theft or misuse of PHI was identified, although it was not possible to rule out data theft with a high degree of certainty. Affected health plans were notified about the breach in September.
The compromised email account contained information such as members’ names, dates of birth, vision insurance ID numbers, health insurance ID numbers and, for a limited number of individuals, Social Security numbers, birth certificates, diagnoses, and financial information. The breach only impacted current and former members of the above health plans who received vision benefits through EyeMed.
A spokesperson for EyeMed said, “To help prevent something like this from happening again, we have taken prompt action to enhance the protections that were already in place before the incident, including additional network security measures and security awareness training.”
Midwest Geriatric Management BEC Attack Impacts 4,800 Individuals
Midwest Geriatric Management (MGM) Healthcare has notified 4,814 individuals that some of their protected health information was potentially compromised in a business email compromise attack. A fraudster impersonated the CFO and sent an email to an MGM employee requesting a spreadsheet be sent via email. Believing the request to be genuine, the employee responded and sent the spreadsheet as requested.
Email security features were in place that should block attacks such as this, but in this case those security features were circumvented. The spreadsheet contained names, account balances, and the name of the relevant facility. No other information was compromised.
MGM’s investigation revealed this was an isolated incident and no other systems were compromised. Further training has been provided to employees on email security and, out of an abundance of caution, all affected individuals have been offered a complimentary membership to myTrueIdentity identity theft protection services.
TennCare Mailing Vendor Breach Impacts 3,300 Members
Tennessee’s state Medicaid health plan, TennCare, has announced that an error at a mailing vendor has exposed a limited amount of the protected health information of approximately 3,300 of its members.
Gainwell, which runs TennCare’s Medicaid Management Information System, discovered mailings sent to TennCare members by its mailing vendor Axis Direct in late 2019 and 2020 were misaddressed and sent to incorrect addresses.
TennCare was notified about the breach on October 23, 2020. Gainwell has provided assurances that the cause of the error has been identified and steps have been taken to ensure similar incidents do not occur in the future. Affected individuals have been offered complimentary membership to credit monitoring services.
PHI of Premier Kids Care, Inc. of Georgia Patients Compromised
Premier Kids Care, Inc. (PKC) of Georgia has discovered an unauthorized individual gained access to its systems and obtained a limited amount of patient data. The breach was initially discovered on April 6, 2020. It is unclear why it took 8 months for breach notifications to be issued.
The types of information stored on the compromised computer included names, addresses, telephone numbers, dates of birth, treatment information, and health insurance information. Affected individuals have been offered a complimentary 12-month membership to identity theft protection and credit monitoring services.
The post 484,000 Aetna Members Impacted by EyeMed Phishing Incident appeared first on HIPAA Journal.