(update) Aetna file cabinet contained more records than previously thought?
Aetna reported the incident to HHS last week, indicating that 6,372 policy holders were affected (in contrast to earlier reports variously indicating 4,900 or 5,000). Interestingly, HHS coded the event as “unauthorized access.” I probably would have coded it as “exposure.”
In any event, it seems that Aetna issued a revised statement on the breach on July 16 that I just discovered now in looking into the HHS report. The revised statement indicates that even more policyholders were affected.* From their site:
Aetna announced today that it is notifying 7,250 people that paper files containing some personal information were mistakenly left in a file cabinet the company was disposing as part of an office move. The files were voluntarily returned to Aetna and the company has no reason to believe the information will be misused in any manner. Nonetheless, the company is offering the affected individuals free credit monitoring to provide peace of mind.
Most of the documents in the file cabinet were health plan dependent enrollment forms from the 2003 to 2007 period for people who worked for mid-sized employers and lived in New Jersey or Pennsylvania. These documents are forms employers send to Aetna to add or change coverage for their employees’ dependents. The enrollment forms capture name, address, Social Security number and date of birth. The forms do not include any medical or banking information. Approximately a dozen people had other types of documents in the files that included medical information, such as explanation of benefits forms.
Aetna has many privacy policies and processes in place to safeguard member information, which it continuously reviews to make sure information stays confidential. The company trains staff regularly on how to protect member information, and requires vendors that handle member information to protect it, as well. Despite the company’s best efforts, sometimes mistakes still happen. Aetna takes all mistakes seriously, and implements corrective actions and conducts notification as warranted.
In this situation, a vendor that was hired to move and discard the old office furniture later put the file cabinet out for clearance on March 29, among other furniture from its warehouse. The person who obtained the cabinet found Aetna documents in it, contacted us and returned the documents on May 28. We immediately reviewed the contents to identify whose information was included. We needed that information in order to begin member notifications.
Aetna is taking corrective actions to tighten our processes for office moves and our document retention policies with both employees and vendors, along with other measures, to help ensure that this does not happen again.
The company is sending letters of apology to each affected individual that explains the situation and advises them how to take advantage of the free credit monitoring and put a fraud alert on their files. The company is also providing a toll-free number (1-888-261-2042) where people who receive a letter can ask questions.
* An Aetna spokesperson who responded to my inquiry about the incident explains, “… the numbers appear a little different because we report to HHS membership that we insure; employers who self-fund their health plans are required to report that membership.”