On May 29, 2018, Aflac submitted a HIPAA Email Breach to the U.S. Department of Health and Human Services (HHS). Based in Columbus, Georgia, Aflac’s email breach affected 10,396 individuals’ protected health information. Aflac is classified as a Health Plan. According to Aflac’s statement:
American Family Life Assurance Company of Columbus and Continental American Insurance Company (collectively, “Aflac”) have discovered that potential unauthorized access to certain Microsoft 365 email accounts occurred between Jan. 17, 2018, and April 2, 2018. These accounts were on a business email system hosted by a third party. The incident was discovered through Aflac’s data security detection systems. Based on our review, Aflac email accounts of a small number of our independent contractor insurance agents appear to have been accessed by an unauthorized third party. These agents are not employed by Aflac; they are independent contractors who help us provide services to you. As our HIPAA Business Associates, these agents have also agreed to safeguard and protect your information. These agents’ email accounts were hosted by Microsoft 365, which is also a third-party vendor to Aflac. Data analysis, which was completed April 25, 2018, showed that some of the email accounts may have included HIPAA protected health information (PHI) and other personally identifiable information (PII). We immediately instituted multiple robust controls to mitigate and remediate the activity, including resetting passwords, isolating the specific email accounts and contacting the affected insurance agents. We also continue to work with our independent contractor agents and vendors to implement strong security measures. Based on our review, the information in the accounts may have included the following: first and last name, home address, date of birth, policy/certificate number, group number, type of policy (such as life, hospital and dental), Social Security number (SSN) and bank account information. Some general health information as part of the application, enrollment or claims process may have also been involved. We are not aware of any misuse of your personal or health information at this time.
HHS Wall of Shame
The HHS Wall of Shame is a website under the jurisdiction of HHS that lists all HIPAA breaches reported within the last 24 months. The Wall of Shame displays breaches that are currently under investigation by the Office for Civil Rights. As part of section 13402(e)(4) of the HITECH Act, the HHS Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals.
HIPAA Breach Report
The Paubox HIPAA Breach Report analyzes breaches that affected 500 or more individuals as reported in the HHS Wall of Shame.