EyeMed email hack exposes 484K Aetna members’ data

An Aetna affiliate on Thursday alerted the federal government that a data breach compromised hundreds of thousands of members’ health data.

The data breach stemmed from a hacking incident at EyeMed, a company that Aetna contracts with to provide services for members of in its vision benefit plans, a spokesperson from CVS Health, which owns Aetna, said in an emailed statement.

In July, a hacker accessed an EyeMed email account and sent phishing emails to contacts in the account’s address book, according to a notice EyeMed posted on its website.

It’s unclear whether the hacker viewed or exfiltrated members’ health data. The email account contained names, dates of birth, vision insurance identification numbers, health insurance identification numbers, and some Social Security numbers, birth certificates, medical diagnoses, and financial information of current and former members who receive vision benefits through EyeMed, including Aetna customers.

More than 484,000 Aetna members had data compromised in the incident, according to a report submitted to HHS’ Office for Civil Rights on Thursday.

“Aetna places the highest priority on protecting the privacy of its customers and takes significant measures to protect private information from unauthorized uses and disclosures,” the CVS Health spokesperson said. “We continue to stay in close contact with EyeMed to help ensure it takes the appropriate steps to protect customers’ information.”

EyeMed and Aetna, which was informed of the incident in September, have found no evidence suggesting the exposed information has been misused, he said.

EyeMed did not respond to a request for comment on the incident. The company has not published how many people were affected in the data breach overall.

“EyeMed regrets any inconvenience this incident may cause individuals,” reads the notice posted on EyeMed’s website. “To help prevent something like this from happening again, we have taken prompt action to enhance the protections that were already in place before the incident,” including additional network security measures and security awareness training.