A laptop computer containing the financial and medical records of 38,000 Aetna clients has been reported stolen, but the company believes there is no real cause for worry because the laptop was password protected. In a press release Aetna’s CEO stated that the company has an effective IT security policy, though internal sources say that no one has ever heard of it. Experts at InfoWatch have suggested that talk of a security policy could be an attempt by the Aetna management to mitigate the effects of the data leak.
Aetna, a health care benefits company, released a statement notifying 38,000 of its clients that they face the threat of identity theft after a laptop containing their private details was stolen.
As often happens in such cases, the computer was stolen from an Aetna employee’s car that was parked in a public area. Specialists at the company are currently auditing back-up files to identify all the clients whose personal information was compromised.
It has also become clear that the information on the stolen laptop was not encrypted, though the management at Aetna claimed there was little cause for worry because the computer was “secured with strong-password authentication”. The only thing that may offer some reassurance to those affected is the fact that Aetna has offered to pay for one year of credit monitoring services.
The press release stresses that the company has adequate measures in place to protect the financial and medical data belonging to its clients, but that the employee from whom the laptop was stolen had not been following the corporate IT security policy. Specialists at Aetna are now checking how employees at the company interpret and apply that policy.
One Aetna employee contacted by journalists, who wished to remain anonymous, said that the nearest thing to an IT security policy within the company that he knew of was a password to enter the corporate system that had to be at least six symbols long. There was no mention of encryption…
“Unfortunately, companies often profess their concern for the safety of clients’ private data only after those details end up in the hands of criminals. In actual fact, no one is that bothered about safeguarding personal information and the standard mechanisms such as passwords to enter corporate systems are passed off as an effective safety measure. However, it takes an experienced specialist just a few minutes to bypass that kind of defense. After that it is highly unlikely that anything will be able to prevent identity theft,” Denis Zenkin, marketing director at InfoWatch is convinced.
Source: Aetna