Aetna has made an announcement that around 484,000 of its members were impacted by a data breach that happened at a business associate providing services for its vision benefits plan members. In July 2020, an unauthorized man or women acquired access to an email account of a personnel of EyeMed in Cincinnati and used it for sending more phishing emails to persons listed in the mailbox’s contacts.
EyeMed’s investigation of the breach confirmed that the mailbox held the protected health information (PHI) of about 1,300 members of Blue Cross Blue Shield of Tennessee, 484,157 Aetna members and 60,545 members of Tufts Health Plan. There is no information found that suggests the theft or misuse of PHI, though data theft cannot be ruled out with 100% confidence. EyedMed notified the affected health plans regardig the breach in September.
The compromised email account held information including members’ names, dates of birth, health insurance ID numbers, and vision insurance ID numbers. The birth certificates, Social Security numbers, diagnoses, and financial information of a number of members were also compromised. The breach merely affected existing and past members of the health plans mentioned above that obtained vision benefits with EyeMed.
An EyeMed spokesperson reported that it has taken prompt action to improve security and provided security awareness training to help avoid the same breach from taking place again.
Midwest Geriatric Management BEC Attack Has Impacted 4,800 Persons
Midwest Geriatric Management (MGM) Healthcare has sent notifications to 4,814 people that some of their PHI were likely breached due to a business email compromise attack. The attacker impersonated the CFO and emailed a message to an MGM staff requiring a file to be sent by means of email. Assuming the request to be legitimate, the staff responded and mailed the file.
Email security features were established that should obstruct attacks like this, yet in this situation those security features were avoided. The spreadsheet comprised names, account balances, and the name of the applicable facility. No other details was affected.
MGM’s investigation pointed out that this was a remote incident and no other systems were impacted. More training was given to personnel regarding email security and, as a precaution, all affected persons received a complimentary myTrueIdentity identity theft protection services.
PHI Patients of Premier Kids Care, Inc. of Georgia Patients
Premier Kids Care, Inc. (PKC) of Georgia found out that an unauthorized person had accessed its networks and acquired some patient information. The breach was first detected on April 6, 2020. It is unknown why the issuance of breach notifications was delayed for 8 months.
The types of data kept on the breached computer included names, addresses, phone numbers, birth dates, treatment data, and medical insurance data. Affected persons received a free membership to identity theft protection and credit monitoring services for 12 months.