“Wannacry” ransomware information and Aetna’s response
Several media outlets published May 12 reports on an aggressive form of ransomware that has affected organizations in many countries.
We understand from these media reports that the attacks have had particular effects on health care organizations, including 16 National Health Service (NHS) facilities in the United Kingdom. These reports also indicated that some of the affected facilities canceled outpatient appointments and informed people to avoid emergency departments if possible.
According to media reports, this ransomware, called "WannaCry" or “Wanna Decryptor,” encrypts the files on an infected computer and then demands the payment of $300 in the form of the cryptocurrency Bitcoin in order to obtain the decryption key and regain control of the files. After three days, the amount of Bitcoin demanded by the ransomware increases to $600. Ultimately, the ransomware threatens to delete the files if payment is not made within seven days.
Our response
- In light of media reports describing the widespread impact of this malware, particularly in the health care sector, Aetna activated its cybersecurity incident response team. This team has engaged in a number of active measures to reduce the potential risk associated with this malware.
- As of 12 pm ET on May 15, 2017, we had not identified evidence or received reports from employees that this malware has impacted any systems owned or managed by Aetna. Previous preventive steps in preparation for this specific event have resulted in additional protection against ransomware attacks.
- This information was also shared with the National Health Information Sharing and Analysis Center (NH-ISAC) to benefit the health care industry.
- We are contacting other constituents (including health care providers and vendors) to determine what impact, if any, this malware has had on their businesses.
- Because of the reported acute impact that this malware has had outside the United States, we are actively assessing groups associated with our international business.
- We continue to monitor the potential impact on health care providers in order to be responsive to the needs of our members and employees, including their access to medical providers.
For more information
News updates on the ransomware attack
Archived Alerts
Avoid scams that use the Aetna name
November 2015
Aetna has become aware of impostors who are calling people – often multiple times a day – and fraudulently claiming to be from Aetna. The calls may be from an automated service that repeatedly dials a number, or from a live person. Aetna is not placing these calls, or directing others to place them.
By falsely claiming to represent Aetna, one of our companies or any other reputable company, these scam artists want to trick you into
- Sharing personal information that they will use to later steal from you
- Giving them money for promised goods or services that you will never receive.
This form of fraud is called "phishing" and it is illegal.
Often, the people making these fake calls will talk about a new service that Aetna is providing. The service requires a health assessment. The person offers to send someone to your home to complete the assessment and send the results to your doctor.
The imposters have called cell phones as well as land lines. We cannot warn you about certain phone numbers to look for on caller ID. The phone numbers are always different. But they often have local area codes.
What to do with a suspicious call
If you have any suspicions about a call or caller –
- Do not pick up the call.
- If you answer, hang up immediately. Do not give out personal details.
- Do not try to remove your number from the caller’s list. This will confirm that your number is an active phone number.
- Report the number to the local fraud unit of your telephone company.
- Report the number to the Federal Trade Commission.
Suspicious numbers
Two suspicious telephone numbers that have come to our attention are 571-441-0062 and 970-999-7057. These numbers are not from Aetna or any vendor working for Aetna.
Spoofing Your Number
Aetna also has received reports that legitimate business owners have received calls from scam artists who say they represent Aetna. After that, the telephone number of that legitimate business starts cropping up on the caller IDs of other people who receive calls from these same scam artists. The technology to fake a caller ID is called "spoofing," and it is a way to disguise the source of the incoming call.
Aetna does not "spoof" the numbers of our customers or potential customers. If your number has been spoofed, report it to the local fraud unit of your telephone company and the Federal Trade Commission.
If You Think You've Been Scammed
If you believe you are a victim of a phishing scam, act quickly. Contact your bank or credit-card company immediately to report your suspicions. In many instances, you can ask them to impose password protection on your accounts. This prevents the unauthorized release of funds. If necessary, report any loss of funds to your bank, the police, and the Federal Trade Commission.
Legitimate Aetna Calls
Aetna complies with the law when making calls to our members and business associates. We may need more information about a claim, for example, or we may be reaching out as part of our care management programs. If you are suspicious of giving information to someone who says they are from Aetna, hang up and call the Member Services number on your ID card. Ask to have your call directed to the department that was asking for the information. That way, you can be sure you are giving the information to Aetna.
Aetna addresses Linux security flaw
January 2015
Qualys recently disclosed a flaw, known as GHOST, within the Linux operating system. The vulnerability could allow a skilled attacker to add malicious code to a system without authorization.
Aetna has thoroughly assessed our environment and is currently patching impacted system components. We do not believe that any of our systems or customer data have been compromised as a result.
We will continue to monitor our systems to protect our member, plan sponsor and provider data. We also have remediation plans in place, so we can quickly address any issues we find. Finally, we are working with all suppliers and vendors to assure that their systems are protected.
Members, providers and plan sponsors do not need to take any action to protect their Aetna data. However, it’s always a good practice to routinely change passwords.
No Aetna impact found from Microsoft Windows security flaw
November 2014
Microsoft recently announced the MS14-066 Schannel security flaw. Schannel is used by Windows client and server operating systems. Aetna has thoroughly assessed our systems. We do not believe that any of our systems or customer data has been compromised as a result.
We have patched all internal and external systems. We’ll continue to monitor our systems to protect our member, plan sponsor and provider data. We also have remediation plans in place, so we can quickly address any issues we find. Finally, we worked with all suppliers and vendors to assure that their systems are protected.
Aetna has protected its systems against “ShellShock” software bug
September 2014
Experts recently disclosed a software bug in a utility that is commonly used in computers, servers and even smartphones and other Internet-connected devices, called ShellShock.
Aetna immediately assessed our exposure. We’ve implemented security controls to guard against this vulnerability, and have patched all critical systems involved in the processing of customer data. Our security experts continue to analyze system and data components to assure the continued protection of our member, plan sponsor and provider data.
In addition to addressing our own infrastructure, we are diligently working through every third-party vendor relationship to identify potential exposures, then working closely with our vendor partners to assure the remediation of the vulnerability.
We are confident in the proactive steps we have taken since learning of this vulnerability on September 25.
Laptop Security is a High Priority
June 2014
Your laptop allows you to work while being mobile. However, without proper security practices, your laptop is very susceptible to being lost or stolen. Besides the financial cost of replacing a laptop, the consequences of a lost or stolen device can include:
- Loss of customer confidential and sensitive data
- Fines and penalties associated with loss of customer data
- Damage to company reputation
- Company’s competitive position is jeopardized
If at all possible, do not store customer sensitive data (member SSN) on your device. Our customer information must be protected at all times and should only be used and/or stored when absolutely necessary.
Encrypt your hard drive
Encrypting the hard drive of your device is the best practice to secure its data. Recommended encryption tool options are:
At the workplace
Whether you are in the office or teleworking, follow these steps to protect your laptop:
- Use a cable-locking device, even if you plan to be away from your desk for only a few minutes
- Store your laptop in a locked cabinet if you are leaving it for an extended period of time
While traveling
Keep your device with you at all times and do the following:
- Automobiles
- Hide it from view (preferably in the trunk) and lock the car
- Hide the laptop before you leave for your destination. Do not wait until you arrive at the destination to hide the laptop—thieves are known to watch for such activity
- Do not place the laptop in
- Hotels
- Lock your laptop in the room safe or the hotel’s safe (be sure to get a receipt) when you are away from your room.
- If the hotel safe cannot accommodate your laptop, use your cable lock to secure it to a non-moveable fixture (such as a floor or wall anchored light) while the laptop is not in use.
- Airport
- Place your laptop on the conveyor belt as the very last item so you can retrieve it immediately following its security scan
- While waiting in line or in a lobby, keep the strap of your carry case on your arm or around your leg – do not place the item on the ground
Be prepared in the event your laptop is lost
Record the laptop’s serial number and store it in a safe place, such as your wallet. This will facilitate recovery efforts and identify you as the owner of the laptop if it is lost or stolen.
If your laptop is stolen or lost on which you were conducting Aetna business, immediately notify the SPOC (Single Point of Contact) at (888) 905-9500.
Heartbleed Alert
April 2014
The recently announced “Heartbleed” vulnerability impacts a piece of software known as OpenSSL – a common software package used to assure the secure communication of data across the internet.
Like many organizations, Aetna has been working diligently to assess the impact of Heartbleed on our customers and information systems. To date we have determined that our core customer-serving and external facing systems are not impacted.
We have also instituted remediation plans to assure that we quickly address any vulnerable systems, should they be identified. We will take other precautions as necessary to protect customer data. In addition to assessing our own infrastructure, we are diligently evaluating third-party vendor appliances and applications that may be impacted. We will work closely with any impacted vendors to monitor remediation of the vulnerability.
We initiated these proactive steps following the announcement of this vulnerability on April 7.
