Aetna, one of the world’s largest health insurance providers, had to do something special for its customers following a security “oops” reported May 26 involving its Website.
It turns out that a number of human resource-related e-mails containing important personal information that had been stored in a “secure” place on the site somehow became public for an undetermined window of time. The e-mails were accessed by a number of visitors to the site, Aetna admitted, although it did not say how many.
As a result, the company will provide free credit monitoring for a year to about 65,000 employees and people who had received job offers during the last five years. No FreeCreditReport.com needed for these folks.
Aetna reported that Social Security numbers of current and former employees and people who received job offers from the company were stored on the Website, which formerly had been maintained by an outside vendor. The site also stored phone numbers, addresses and employment histories for people who had received job offers but elected not to accept them.
Not anymore, though. Aetna has wised up and is now revamping its online HR operation.
An outside firm was called in to do a security review of the site, but it is not been able to figure out how the breach happened in the first place.
Aetna was first tipped off three weeks ago, when it started getting complaints from applicants who received phony e-mails telling them they had been selected for a position. The e-mails — not from Aetna’s HR folks — then requested additional personal information.
Our question is this: What is all that sensitive personal — and personnel — information doing residing on a publicly accessible Website in the first place? Hopefully, Aetna has learned a lesson.