Company Information
 
Press Center
News Releases Press Kits Media Relations Contacts Executive Biographies Media Coverage
Aetna
 Aetna Aetna
Questions & Answers

What were the circumstances surrounding the theft?
According to Concentra, the break-in occurred on Oct. 26 at a multi-tenant office building. The police believe this is a routine burglary by common thieves looking to pawn property for cash.

Why are you notifying people now if the event occurred in late October?
We began notification as soon as we possibly could. Aetna did not receive the information that Concentra was able to reconstruct from the missing tapes until Nov. 10. Then our IT forensic team worked 24/7 to complete a thorough and accurate analysis.

This time-consuming process was like reassembling several different jigsaw puzzles with all the pieces jumbled together in the same bag and no pictures to follow.

Here's why:

  • The information on the back-up tapes was fragmented. The vendor had only the information it needed to review claims, and then broke that information into different pieces to run analyses. Many records, for example, only contained a claim identification number.
  • In order to arrive at an accurate accounting of each affected member, Aetna then needed to piece together the partial records by matching the information against our own database and mapping it back to individual members and their employers.
  • The data format and medium received from the vendor to perform the data reconstruction and analysis also put constraints around the sequence of steps and timelines.

How likely is it that the loss of this information will result in identity theft? Why do you believe the data would be hard to access?
Concentra believes it to be unlikely that data from the back-up tapes could be successfully accessed due to a complex combination of commercial equipment plus special versions of back-up and database software packages needed to read the data, which is itself in unlabeled formats difficult to understand. These tapes cannot be used on a standard PC.

Concentra consulted a third-party data expert to determine the likelihood of the data being successfully accessed. The expert agreed that the likelihood was low.

Additionally, law enforcement authorities believe that, based on the nature of the crime and the items taken from the six businesses, this was the act of common thieves looking for cash and other property to pawn. There is no indication that data theft was targeted.

Were other health plans involved?
Yes, it is our understanding that numerous other health insurance carriers were involved.

What information was contained on the tapes?
Concentra performs medical claim audits, specializing in hospital bill review, so the claim data on the tapes included some personal member information linked to the claims. The data records included items such as the member name and Social Security number or Aetna member ID number, along with hospital codes (indicating what hospital department, such as Radiology or Pharmacy, provided a service for the member).

There was no member banking information on the tapes.

What is Aetna doing to protect individuals whose information was compromised?
Aetna believes the likelihood of anyone successfully accessing or compromising the data to be low. Nonetheless, we regret that this burglary occurred, and we are directly notifying affected individuals.

Additionally, Aetna is arranging for credit monitoring services for potentially affected people to help prevent any potential misuse of the information. Aetna is contacting each affected individual directly with information on how to access this service.

What is Aetna's policy on the handling of confidential information?
Aetna has physical and electronic safeguards to protect confidential information. Every year, all employees are required to complete data security training and certify that they are in compliance with all business conduct policies including data security.

In addition to our own numerous data security safeguards to protect confidential information, which we continually review to minimize risks, Aetna contractually requires its vendors to have stringent security controls and we perform security risk assessments of our vendors to help prevent inappropriate disclosure of, or access to, personal information.

Vendors

  • Each vendor that works with personal health information to perform its services to Aetna operates under terms of a contract that requires implementation of administrative, physical and technical safeguards to protect that information. These contract provisions comply with the federal HIPAA Privacy and Security Rules that require Aetna to have a signed Business Associate Agreement with each vendor who is granted access to member health information in order to help Aetna administer health benefits.
  • In addition, Aetna performs security risk assessments of our vendors to help prevent inappropriate disclosure of personal information.

Aetna Data Security

  • Employees must always store member information and devices such as laptops and other mobile devices securely, using approved company equipment.
  • Laptops and PCs may be connected to the Internet only through the company's electronic firewall. All PCs are regularly scanned for viruses using the latest definitions and technology.
  • All confidential member information must be encrypted when being transmitted via the Internet, CDs or DVDs. All desktop and laptop computers are also encrypted.
  • Aetna's servers can only be accessed with authenticated IDs and passwords, which are revoked when employment ends.

email this page   
medium small large 		Aetna
Aetna

Important Links
Aetna Foundation Opens link in new window
Health Power
   for minorities Opens link in new window
Aetna
Search on These Related Keywords