Security at Aetna’s in-network benefits provider Brightline enabled hackers to steal sensitive personal information of millions of customers.
A class action lawsuit was recently filed against insurance giant Aetna alleging the woefully inadequate data security at its in-network virtual health provider Brightline enabled hackers to steal personal information of over 3 million customers.
According to Brightline’s Notice of Data Breach, “the incident involved Fortra, a third-party provider of file transfer services known as GoAnywhere MFT Software-as-a-Service.” This software has been implicated in a number of similar data breaches affecting multiple organizations and businesses, including those in the medical sector.
The complaint alleges that Aetna was or should have been aware of the heightened risk the use of this software poses given numerous previous data hacks yet it did nothing to prevent it.
The complaint also states that Aetna waited until April 7th before notifying victims of the breach, further exacerbating their injuries by enabling them to take speedy measures to protect their identities and mitigate harm.
Even after informing victims of the data breach, Aetna failed to adequately describe the breach and the implications it could have on victims.
On January 30, 2023, Fortra was made aware of suspicious activity within certain instances of its GoAnywhere MFT service. Through its investigation, Fortra states that it identified a previously-unknown vulnerability which an unauthorized party used to gain access to certain Fortra customers’ accounts and download files.
Fortra informed customers, including Brightline, about the security vulnerability in their GoAnywhere MFT service on February 4, 2023. Fortra’s investigation determined the incident was limited solely to the Fortra service and did not impact Brightline’s network.
What Information Was Compromised?
The information involved in this incident included the following personal identifying /health information data of some health plan members:
- Date of Birth
- Member Identification Numbers
- Data of Health Plan Coverage
- Social Security Number
- Employer Name
What Can Criminals Use This Information For?
Victims of identity theft are now exposed to a lifetime of fraudulent activity. Criminals use this information to:
- open new financial accounts in victims names,
- take out loans using victims identities,
- obtain medical services,
- use health information to craft phishing and other hacking attacks based on a victims individual health needs,
- obtain government benefits
- file fraudulent tax returns
- obtain drivers licenses
- give false information to police during an arrest.
What Does The Class Action Seek?
The class action alleges that victims of the data breach will continue to suffer unexpected out-of-pocket expenses to protect their identity in the future including lost or diminished value of the PII, emotional distress, and the value of their time to mitigate against the fallout arising from the data breach.
The action seeks remedies including compensatory damages, treble damages, punitive damages, reimbursement of out-of-pocket expenses as well as injunctive relief – including improvements to Aetna’s in-network providers including Brightline’s data security systems, future annual audits, and adequate credit monitoring services funded by Aetna.