326,278 Aetna ACE Members Affected by Ransomware Attack at Mailing Vendor

The health insurer Aetna ACE is one of the latest healthcare organizations to announce it has been affected by a ransomware attack on a mailing vendor, which involved the protected health information of 326,278 plan members. Aetna said the breach was limited to individuals insured under Aetna ACE, and that no protected health information of individuals served by Aetna or CVS Health was involved.

The ransomware attack affected OneTouchPoint, which provides printing and mailing services for U.S. companies, including billing vendors used by healthcare organizations. OneTouchPoint is provided with contact information and limited other data types to provide its contracted services. On April 28, 2022, OneTouchPoint discovered files had been encrypted on its systems, with the unauthorized access occurring the previous day on April 27, 2022.

Third-party cybersecurity specialists were engaged to investigate the security incident and completed the investigation on June 1, 2022, but were unable to determine which specific files were exfiltrated from its systems. Affected customers were notified on June 3, 2022, and OneTouchPoint worked with those customers to determine the type of information that could potentially have been viewed or removed from its systems. The exposed and potentially stolen data included names, addresses, dates of birth, member IDs, and limited medical information.

OneTouchPoint said it offered to send notifications to all affected individuals; however, some of its clients have chosen to self-report the breach and send notifications themselves. OneTouchPoint has reported the incident on behalf of 30 health plans and informed the Maine Attorney general that 1,073,316 individuals had been affected. Aetna ACE chose to self-report the breach. Other health plans affected by the OneTouchPoint ransomware attack include Anthem, Humana, Kaiser Permanente, Geisinger, Health First, UPMC Health Plan, Blue Shield of California Promise Health, Blue Cross and Blue Shield of Alabama, and other Blue Cross Blue Shield-affiliated health plans.

Please see the HIPAA Journal Privacy Policy

Aetna ACE is no stranger to data breaches at business associates. In 2020, a phishing attack on a business associate exposed the PHI of 484,157 Aetna ACE plan members. An employee of vendor EyeMed responded to a phishing email, which give unauthorized individuals access to email accounts that contained the PHI of 2.1 million individuals. EyeMed was fined $600,000 by the New York State Attorney General for security failures that led to the data breach.

Aetna also experienced another mailing-related data breach in 2017 that affected 12,000 individuals. In that case, a mailing was sent to members to inform them about different options for filling prescriptions for their HIV medications; however, window envelopes were used through which the HIV drug information was clearly visible, making it clear that the members were being treated for HIV or were taking HIV medications to prevent infection. Aetna was investigated by state attorneys general and settled the cases and paid more than $2,725,000 million in penalties. A $1,000,000 penalty was also imposed by the HHS’ Office for Civil Rights, and Aetna settled a class action lawsuit for $17 million.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.