Aetna brochure labels contain U.Va. students’ info

[Erica Absetz <erica () riskbasedsecurity com>]

http://bdtonline.com/vanews/x316298151/Aetna-brochure-labels-contain-U-Va-students-info

CHARLOTTESVILLE, Va. — The University of Virginia is notifying 18,700
students that their Social Security numbers were accidentally printed
on address labels of health insurance brochures, U.Va. spokesman
McGregor McCance said.

“The university certainly regrets that this exposure occurred,”
McCance told The Daily Progress ((http://bit.ly/15necUW)V ) in an
email.

Aetna Health Care sent the open-enrollment brochures to students’
homes through a third-party mail vendor. The university provided the
Social Security numbers and other information to Aetna, which provides
student health insurance at U.Va. and more than 190 other schools
across the nation.

Aetna spokeswoman Cynthia Michener said the insurer learned of the
security breach earlier this week. She said the mail vendor is one of
several used by Aetna but declined to identify it.

“We are working with UVa helping to notify the students,” Michener
told the newspaper. “We are trying to do the right thing.”

The student newspaper, the Cavalier Daily, first reported the breach.
One of the editors, Andrew Elliott, was among the students who
received a brochure.

“It’s definitely easily visible if you know what you’re looking for,”
Elliott told The Daily Progress. “It isn’t separated by the little
dashes, but it still looks like a Social Security number.”

Affected students will be provided free credit monitoring services,
McCance said.

“Our focus is on notifying those affected, providing them information
regarding credit monitoring and assistance and ensuring that such an
incident will not occur again,” McCance said.

There have been several previous security breaches at the university,
including the disappearance of a hand-held device from the University
of Virginia Medical Center last December. The device, which is similar
to a smartphone, contained medical and personal information of
patients treated by Continuum Home Infusion between August 2007 and
last September.

Another incident occurred in June 2012, when up to 350 students’
transcripts were accidentally posted to a U.Va. website. Some of the
transcripts contained Social Security numbers.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss-discuss

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.