Aetna ACE has recently announced it has been subject to a ransomware attack on a mailing vendor. The data breach involves the unauthorized disclosure of 326,278 clients. According to the health insurer, the affected clients were reduced to only those covered by Aetna ACE. Neither Aetna nor CVS Health clients’ protected health information was compromised.
The vendor involved in the data breach was OneTouchPoint. The company provides printing and mailing services to various companies and organizations, including billing vendors for healthcare organizations. To use OneTouchPoint’s contracted services, organizations are required to provide contact details and a small number of additional data types. On April 28, 2022, OneTouchPoint determined that files on the company’s networks had been accessed and then encrypted by an unauthorized third party.
Upon detection, OneTouchPoint immediately launched a comprehensive investigation of the incident. The company was unable to identify which specific files had been accessed and removed from its networks. On June 3, 2022, OneTouchPoint notified affected clients that their personal information was accessed by a malicious third party. The information accessed included names, date of births, addresses, member IDs, and medical information.
OneTouchPoint has listed the 30 impacted health organizations on its website. These include Clover Health, several Blue Cross Blue Shield branches, and several BlueCross, or BlueShield departments. The incident has been reported to the Maine Attorney general confirming that over 1 million individuals have been affected by the breach. While OneTouchPoint offered to notify all impacted individuals, some of its clients have opted to report the breach and send notifications on their own behalf. OneTouchPoint has promised to implement safeguards to further protect the information they manage. The company has also requested affected individuals make contact should they have any questions or would like additional information regarding the data breach.
This security incident is the third Aetna ACE has experienced in 5 years. In 2017, the health insurer experienced another mailing-related data breach affecting approximately 12,000 clients. An investigation was conducted by the state attorney general, resulting in a case settlement and a financial penalty of over $2,275,000 million. The second occurred in 2020, where a phishing attack on a business associate resulted in the unauthorized disclosure of information concerning over 484,000 plan members.