Aetna ACE revealed to federal regulators a health data breach impacting about 326,000 people that was caused by a ransomware event involving OneTouchPoint, a subcontractor that offers printing and mailing services to one of the insurer's contractors.
OneTouchPoint, located in Wisconsin, revealed to Maine's attorney general last week that a hacking issue uncovered in April affected roughly 1.1 million people.
In a statement posted on its website, OneTouchPoint also identifies more than 30 health plan clients who were affected by the event. That list does not include Aetna ACE.
Despite this, Aetna ACE reported the OneTouchPoint issue to the Department of Health and Human Services on July 27 as a HIPAA breach impacting almost 326,300 people.
Aetna states the exposed information may have included names, residences, dates of birth, and limited medical information, according to a statement given to Information Security Media Group on Tuesday.
According to Aetna, the incident did not include any of Aetna's or parent company CVS Health's systems.
Some experts believe that breaches involving health insurers pose significant privacy and security risks to their members' protected health information.
"Insurance companies typically hold large volumes of individually identifiable data that are valuable to hackers," says Kate Borten, president of privacy and security consulting firm The Marblehead Group.
The OneTouchPoint incident is not Aetna's first known health data leak involving a vendor that offers printing and mailing services.
Aetna paid millions of dollars in regulatory fines and civil settlements as a result of a botched mailing breach in 2017.
This privacy violation happened during a vendor's sending of letters to around 12,000 Aetna plan participants in different states informing them of new alternatives for filling their HIV medicines. The members' HIV medicine information was possibly apparent via the clear windows of the shipping envelopes.
Aetna paid more than $20 million in court settlements relating to regulatory fines imposed by a few state attorneys general and the resolution of class action lawsuits as a result of the privacy issue.