Aetna Inc. notified 65,000 people, most of them current and former employees, of a website breach that may have exposed their Social Security numbers and other personal information.
The Hartford, Conn.-based insurance company discovered the breach the week of May 4, after receiving complaints from employees and others about an email scam, said Aetna spokesperson Cynthia Michener. Intruders had accessed email addresses in Aetna's job application website and database, which is hosted by an external vendor. The email addresses were used in spam messages that claimed to respond to a job inquiry and requested personal information.
Personal information about Aetna job applicants is included in the database, making it possible that other information was exposed, she said. For people who were offered jobs with Aetna, that information includes names, addresses, Social Security numbers, and phone numbers. The data didn't include any financial or health information.
Although there is no conclusive evidence that information other than email addresses was accessed, Aetna notified 65,000 people who had a Social Security number in the database as a precautionary measure, Michener said. The vast majority of those notified are current and former employees, along with people who were offered jobs. The company also offered them credit monitoring.
"We took immediate action to prevent further unauthorized access, and hired an external IT security firm to thoroughly investigate and institute additional protective measures with our vendor," Michener said.
The investigation hasn't reached a definitive conclusion on how intruders accessed the email addresses, she said.
Immediately after discovering the breach, Aetna immediately took down the job application site while it investigated the incident and put up notices on Aetna.com and employee intranet to alert people about the email scam, Michener said.