Aetna ACE, a health insurer, reported a cyber-incident that involved the protected health information of 326,278 plan members.  The cyber-incident affected one of Aetna’s business associates, OneTouchPoint, Inc. (“OTP”), which provides printing and mailing services to various health insurance carriers and medical providers.  OTP posted a breach notice on its website on behalf of over three dozen healthcare companies, including health plans, related to the incident.  According to OTP, on April 28, 2022, OTP discovered encrypted files on some of its computers.  Based on its internal investigation, there was an unauthorized access to some OTP servers beginning April 27, 2022.  OTP could not determine the specific files that were accessed or viewed within OTP’s network.  However, OTP noted that information potentially involved includes protected health information, such as information that may have been provided during a health assessment. 

The cyber-incident affecting OTP is not the first time an Aetna business associate or vendor has suffered a cyber-incident that directly affected Aetna’s plan members.  In June 2020, EyeMed, a business associate of Aetna, suffered a cyber-incident (phishing attack) that exposed the PHI of over 484,000 Aetna plan members.  According to some reports, the hack occurred after an employee responded to a phishing email.  EyeMed’s breach notification stated that the hacker’s access was blocked on the same day it was discovered.   However, it was later reported that the hacker’s access was not blocked until about a week later. 

Overall, the PHI of over 810,000 Aetna plan members has been exposed due to breaches of Aetna’s business associates and vendors.  Aetna likely will undergo some of the same breach-response activities as its business associates, which may require it to expend resources.  Besides potential erosion of plan members’ trust, Aetna may also face litigation and/or government investigations because of its business associate’s cyber-incident.  

Covered entities should not ignore the cybersecurity efforts of their business associates and vendors.  Organizations must take cybersecurity seriously and should verify the security of their business associates and vendors, including audits, receipt of assurances, and contemplation of how to handle damages a covered entity suffers because of the actions (or inaction) of a business associate or vendor. Cyber-incidents are not going away, and business associates remain susceptible to cyber incidents similar to healthcare providers and plans.  According to Fortified Health Security’s 2022 mid-year Horizon Report, while healthcare providers account for 72% of the breaches, business associates and health plans made up 16% and 12% of the breaches, respectively.  Moreover, breaches affecting business associates increased in 2021.  

The attorneys at Chilivis Grubman represent clients of all sizes in connection with data breaches and cybersecurity matters, including regulatory obligations and litigation arising therefrom.  If you need assistance with such a matter, please contact us today.