Aetna Insurance has also reported a breach in recent months, but unlike the Anthem and Premera Blue Cross breaches, the Aetna breach does not appear to have been a massive one.
In a letter dated January 8, the insurance company notified the Maryland Attorney General’s Office that six Maryland residents were among those being notified that their information had been found in the possession of a former employee who had been arrested in Florida. The data theft was reported to Aetna by the IRS.
As Aetna explains:
On December 2, 2014, Aetna’s Investigative Services unit received notification from the IRS that a former Aetna employee had been arrested in Florida. The arrest took place in April 2014. The individual stopped working for Aetna in August 2013. The former employee’s personal cell phone was confiscated and pictures of screen shots from Aetna computer screens were found on it. The IRS has the cell phone and is conducting a criminal investigation of possible identity theft. The IRS also provided copies of the cell phone pictures to Aetna.
So it appears the data theft had occurred before August 2013 but was never detected (somewhat understandably if these were screen shots taken from a computer). Why law enforcement delayed over 7 months before notifying Aetna was not explained.
Aetna’s Investigative Services unit reviewed the pictures and found that 133 Aetna disability members had their name, date of birth, social security number and employer name captured in the screen shots.
Some of the pictures were blurry and only certain fields could be read by our investigators. However, in late December, by cross referencing information in our systems, we were able to recreate the data on the pictures. While it is unlikely that all members’ information was legible enough to be at risk, all of them are being notified of the incident and offered free credit monitoring services.
Aetna made a point of noting that they had conducted a criminal background investigation before hiring the employee in 2007. “A subsequent background check revealed no criminal activity for this employee from 2007 to August 2013, when she left our employ,” Aetna’s Chief Privacy Officer reports.
This is not the first time we’ve seen insiders take screenshots of computer screens for an ID theft scheme (cf, this case or this case). I’d be curious to see what hospitals are doing to prevent this type of data theft.
Related: Notification letter template and notification template, Page 2