Aetna ACE has announced that it has suffered a healthcare breach. According to the Office for Civil Rights (OCR) breach portal, the incident affected 484,157 patients. More details regarding the Aetna ACE breach are discussed below.
What Caused the Aetna ACE Breach?
On December 22, Aetna announced that they had suffered a healthcare breach affecting 484,157 patients. So what happened?
Aetna contracts EyeMed to provide services for members of the vision benefits plan. In July, EyeMed, owned by Luxottica, reported to the federal government that they had been victim to an email hack, compromising the protected health information (PHI) of hundreds of thousands of patients. Other organizations affected by the breach include LensCrafters and Target Optical.
According to Luxottica, PHI potentially compromised in the breach include patient names, contact information, appointment dates and times, health insurance policy numbers, and doctor or appointment notes that may indicate information related to eye care treatment, such as prescriptions, health conditions or procedures. Some patients also had their credit card and Social Security numbers exposed in the breach.
Although investigations into the Aetna ACE breach are still underway, it appears as though the PHI accessed in the incident has not been used by threat actors. Patients affected by the Aetna ACE breach will receive breach notification letters in the mail.
Protecting Your Organization Against an Email Breach
Most email breaches occur as a result of phishing attacks. A phishing attack occurs when an unauthorized entity disguises themselves as a trusted entity in an attempt to obtain sensitive information. Phishing attacks have become the leading cause behind healthcare breaches, and as such, you must prepare your organization against them.
What can you do?
The best answer (besides implementing advanced security tools to detect phishing incidents before someone falls victim), is training employees. Employees should be trained on how to recognize a phishing attempt, and how to report a suspected phishing attack.