Aetna Loses Laptop With 38,000 User’s Personal Info

Yet another latop containing thousands upon thousands of consumer’s personal info was stolen this week, this time from Aetna. Over 38,000 customers of the health insurance company were on the computer were stolen from a computer which an employee left sitting in their car. Our tipster writes, “We are reminded at least once a
month not to leave our laptops in the car. Also, we have to sign the “Code of Conduct” every year, part of which says ‘I promise not to leave my company laptop in the car.’ “

The president of Aetna issued a press release today, available in delicious source document size, after the jump…

Again we say, if a laptop has got personal records on it, it needs to be handcuffed to these user’s wrists.

Lacey W. writes:

There’s been a lot of news lately about financial institutions losing and/or compromising personal information. Now it has spread to the health insurance industry. The president of Aetna, Inc. issued a press release today that a laptop was stolen out of an employee’s car. The release is copied at the bottom of this email.

Basically, what happened is an employee at Aetna left their company laptop in the car and it got stolen. As bad and careless as that sounds, I really can’t blame Aetna on this one. I’ll be honest – I work for Aetna. I also know that we are reminded at least once a month not to leave our laptops in the car. Also, we have to sign the “Code of Conduct” every year, part of which says ‘I promise not to leave my company laptop in the car.’ The laptop was encrypted with a ‘strong’ password – they won’t let you use a password that is less than 6 characters in length, and has at least 1 alpha char, 1 numeric char, and one symbol. According to the press release, Aetna has determined which clients’ information was stored on that computer, and have offered to pay for credit monitoring services for those who might have been compromised.

This is a classic example of one idiot employee giving 20,000 others a bad name. I wanted to send this in so
people would know it happened, but could also see that it’s not like someone hacked into Aetna’s mainframe,
or that Aetna doesn’t educate its employees, or doesn’t take steps to protect member’s private information. I will be interested to see the editors’ and posters’ comments on this issue.

Lacey W.”

Aetna CEO and President Ronald A. Williams has issued a statement regarding data security.

Posted April 27, 2006

Aetna has notified approximately 38,000 members that an Aetna employee’s laptop computer containing certain personal member information was stolen from an employee’s personal car in a public parking lot. These members are employed by two Aetna customers, and we are auditing our back-up files to ensure that all affected individuals will be notified. There is no indication that data on the laptop, which was secured with strong-password authentication, has been compromised, and we have no reason to believe that there has been any unauthorized use of it.

Nevertheless, we have offered to pay for credit monitoring services for our affected members to help prevent any potential misuse of the information and we are contacting each affected individual directly with information on how to access this service.

Aetna deeply regrets this incident and has apologized to our members. Each of us at Aetna is mindful that our members trust us with their medical and financial information, and we are vigilant about keeping that information secure. We periodically thoroughly review our data security policies and practices, and employ numerous measures to help protect information and minimize the risks of identity or data theft. These include technical and physical safeguards and employee education. In addition, every year all Aetna employees are required to complete data security training and certify that they are in compliance with all business conduct policies, including data security.

In this case, our employee did not follow our corporate policies, and it was coupled with a criminal theft. In light of this, we are augmenting our efforts to ensure employee compliance with all Aetna security requirements.


Edit Your Comment

  1. hiphopnerd says:

    I’m sure I’m missing some obvious reason, but why does any company need to have the data of 38,000 customers stored on a laptop? Are they keeping this data on their Treos & Blackberries too??

  2. GenXCub says:

    Como se dice “Thin Client” por favor…

  3. OkiMike says:

    I agree. I think this is the best example of a company, to date, doing the right thing in response. But why are employees carrying customer data around on laptops?

    If they want to process records after hours, is it feasible to do so many in such little time? If so, why not wait until the next day? However, if they can only process each one by hand, than download customer info individually and work on it that way.

    Better yet, get a VPN to your company’s servers and keep that data in-office.

  4. billhelm says:

    ugh, why was this data on the laptop, and why wasn’t it encrypted…

  5. Elvisisdead says:

    I’ll say that from time to time, it’s necessary to have around that many SSNs on my laptop. However, they are ALWAYS encrypted, and if I have to send them back to the office, they’re encrypted, the message is encrypted, and it’s done over VPN.

    What companies need to do is hold employees personally responsible for breaches like this. If someone sits you down and says, “Worker – the information that you will be taking home is valued at $$$,$$$.$$. If it’s lost and you’re proven to be negligent, we’ll seek to reclaim $$$,$$$.$$ out of your worthless hide.

    However, in order for that to work, the company has to give the employee the tools and the instruction on how to keep it safe. Give them encryption tools and install laptop tracking software. Then if it goes missing, involve the authorities IMMEDIATELY and cite the value of the information involved.

    Agreed, though, great response from Aetna – speaking as an Aetna member.