OneTouchPoint, a subcontractor that performs printing and mailing services for one of the insurer’s vendors, is believed to have been involved in an apparent ransomware incident that affected nearly 326,000 people’s health data, according to a report by health insurer Aetna ACE to federal regulators.
OneTouchPoint, a Wisconsin-based company, informed Maine’s attorney general last week that almost 1.1 million people were impacted by a hacking issue that was detected in April.
More than 30 health plan clients are also listed by OneTouchPoint in a statement on its website as being impacted by the incident. That list does not contain Aetna ACE.
Nevertheless, on July 27, Aetna ACE notified the Department of Health and Human Services that there had been a HIPAA violation involving over 326,300 people.
Aetna said the exposed information may have included names, addresses, dates of birth, and limited medical information in a statement released to Information Security Media Group on Tuesday.
According to Aetna, neither its own systems nor those of its parent firm CVS Health was involved in the incident.
According to some experts, breaches involving health insurers raise serious privacy and security issues for the members’ protected health information.
According to Kate Borten, owner of the privacy and security consulting business The Marblehead Group, insurance firms frequently keep substantial amounts of personally identifiable information that are desirable to hackers.
Previous Mailing Breach
The OneTouchPoint incident is not the first health data breach involving a provider of printing and mailing services that Aetna has revealed.
Aetna was forced to pay millions of dollars in regulatory fines and legal settlements as a result of a botched mailing breach in 2017 that affected 12,000 people (see: Yet Another Twist in Messy Aetna Privacy Breach Case).
This privacy violation happened when a vendor mailed letters to 12,000 Aetna plan members across many states to let them know about new choices for filling their HIV medicines. The envelopes for that mailing included transparent windows and might have revealed the participants’ HIV drug information.
Aetna was forced to pay more than $20 million in legal settlements as a result of the privacy issue, which included regulatory fines imposed by a few state attorneys general and the resolution of class action lawsuits.