Aetna first notifying 238 Virginia employees of BenefitMall breach that they’ve known about since December, 2018?

In January, 2019, we learned about a breach at Centerstone Insurance and Financial Services, Inc. d/b/a BenefitMall, a business associate.  The breach reportedly affected more than 111,000 insurance members/covered employees of the vendor’s clients. HIPAA Journal covered the incident.

Yesterday, Aetna issued a public notice  related to the incident. Surprisingly, their notice discloses that by December 18, 2018, they had received information from BenefitMall as to which employees were potentially impacted.

So why did it take Aetna from then until this week to handle notifications for a few hundred people in Virginia?  That seems way too long a gap.

Public Notice
AETNA NOTIFIES MEMBERS OF VENDOR PRIVACY BREACHThis serves as a public notice that Aetna, a CVS Health business (NYSE: CVS), has notified approximately [238] [Virginia ] residents that Centerstone Insurance and Financial Services, Inc. d/b/a BenefitMall, a general agent that also acts as a third-party vendor that Aetna utilizes to provide administrative services related to employee benefits (e.g., enrollment and billing services), had certain employee email accounts compromised. Aetna confirmed that this incident did not involve any Aetna system or application, and did not involve any personal information that Aetna maintained.BenefitMall notified Aetna on December 11, 2018 that Aetna members may have been impacted by the breach. On December 18, 2018, BenefitMall provided Aetna with a list of potentially affected members. Upon receipt, Aetna began to gather the information necessary to mail letters to affected members to explain the situation and provide additional resources. Although Aetna is not aware of any evidence to indicate improper use of member information, Aetna is offering each affected member two years of credit monitoring coverage, at no cost,.BenefitMall notified Aetna that the breach was caused by phishing attacks, which occurred between approximately June 2018 and October 19, 2018, and have since been contained. BenefitMall informed Aetna that the affected correspondence may have included names, addresses, Social Security numbers, dates of birth, zip codes, bank account numbers, plan descriptions, premium payment amounts, and health plan beneficiary numbers.

If members have any questions, they can call Aetna toll-free at the number on the back of their member ID cards. 6285007

About the author: Dissent