Aetna charged $1m for three data breaches under HIPAA

The HIPAA (the Health Insurance Portability and Accountability Act) has exacted a $1 million penalty from Aetna, U.S. health care insurance company.

Three years ago the details of 5000 individuals were exposed due to deficient protection measures. Login credentials appeared to be unnecessary to access confidential documents on the two web services of the company. Aetna used to keep health plan data available for the members. The data leakage ensued from the low information security level.

Among the breached data there were names, procedure service codes, insurance identification numbers, claim payment amounts, and dates of service.

In 2017 there happened another data breach a few months later when the names of more than 11000 patients who needed HIV medication were revealed.

2017 was marked by another breach in Aetna – the names of 1600 people were exposed in a mailing to plan members with the subject referring to the atrial fibrillation research.

The fine is imposed for these three personal data breaches.

Subscribe to get helpful articles and white papers. We discuss industry trends and give advice on how to deal with data leaks and cyberincidents.