Date Reported:
5/28/10

Organization:
Aetna, Inc.

Contractor/Consultant/Branch:
None

Location:


Victims:
Customers

Number Affected:
Undisclosed

Types of Data:
"insurance documents", "social security numbers and names, death benefits"

Breach Description:
"A cabinet full of documents with sensitive information was found sitting on the side of the road. Now, Aetna has some questions to answer."

Reference URL:
WFSB Channel 3 Eyewitness News

Report Credit:
WFSB Channel 3 Eyewitness News

Response:
From the online source cited above:

HARTFORD, Conn. -- A cabinet full of documents with sensitive information was found sitting on the side of the road. Now, Aetna has some questions to answer.

Donna Guiel, of East Hartford, said she made the discovery about a month ago and on Friday, she gave the documents to investigators with Aetna Insurance Co.

Channel 3 Eyewitness News cameras were rolling when Guiel and her husband, John, transferred eight bags full of insurance documents, many with social security numbers, to Aetna.

Donna said she saw a bureau on the side of the road in front of Admiral Storage in South Windsor with a sign that said "free."
[Evan] Nobody thought to remove the information before it got to Admiral Storage, and nobody thought to check the bureau before putting it on the side of the road?  How many people missed this before Ms. Guiel found it?

She brought it home and inside the couple discovered the documents.

John said, "Eight bags of nothing but social security numbers and names, death benefits. People that went into hospitals, what kind of drugs they were on."

The Guiels said there was some tension between them and Aetna before and during the handoff. The couple said they decided to give the documents to the insurance giant at a neutral site, the South Windsor Police Department, one month after they discovered them.

Channel 3 Eyewitness News reporter Len Besthoff asked the couple, "You've had this stuff for four weeks and you're just giving it over now?"

Donna said, "Because I was trying to reach Aetna for two weeks, but my husband was dealing with his surgery issues, and he went in two weeks ago."
[Evan] Ms. Guiel should not have to defend her actions.  She is not the one responsible for the breach.

Aetna said it sees the situation differently.

Through a spokesperson, the company said:

Aetna is committed to protecting the privacy of our members and we take this situation seriously. We have policies for properly safeguarding our members’ information, and we are investigating how this incident occurred, but it appears to be human error.

Ms. Guile contacted us via e-mail on the evening of May 5, and we immediately responded the next morning.
[Evan]  Ms. Guiel (notice miss-spelled name) claims that she was trying to reach Aetna for two weeks.  What/who do you believe?

She has consistently declined to give us her name or phone number, or to make arrangements to allow us to retrieve the documents at a place convenient for her, or to return them to us.
[Evan] Assuming that this information is correct, why would Ms. Guiel feel uncomfortable giving Aetna the requested information?  Was she afraid, or just being difficult?

As of today, we now have the files, and will go through each of them to determine the contents and whether any member information has been breached.
[Evan] Aetna is going to determine "whether any member information has been breached"?  I think they should determine "whose information has been breached."  It doesn't appear as though this is a question of "if", but more of a question of "what", "how", "when", and "why".

If it has been, we will notify those members and take steps to mitigate any potential harm.