Ronald A. Williams, Aetna chief executive officer, said in the April 26 statement that the company does not believe any of the information – secured by "strong" password protection – was compromised or used for any criminal wrongdoing.
But Aetna, which has nearly 28 million total members, has offered free credit monitoring services for affected members and has promised to strengthen security awareness training for employees.
The laptop was stolen from an employee's personal car in a public parking lot, the statement said. It did not say when or where the theft occurred.
"Aetna deeply regrets this incident and has apologized to our members," Williams said. "Each of us at Aetna is mindful that our members trust us with their medical and financial information, and we are vigilant about keeping that information secure."
Williams said the company regularly reviews security policies and provides annual training for employees.
"In this case, our employee did not follow our corporate policies, and it was coupled with a criminal theft," Williams said, adding the firm plans to increase efforts to ensure employees follow security protocol.
Policy mandates all laptops must be properly secured, connect to the internet only through the company firewall and have all member information encrypted. In addition, all employees must be trained and certified in security awareness, spokeswoman Cynthia Michener said today.
As a result of the incident, the company has launched a campaign mandating that all employees be re-certified in security awareness, and Aetna is re-auditing every company computer to ensure they contain proper safeguards.
Absolute Software, a Vancouver, British Columbia-based provider of computer theft tracking and recovery solutions, said this week that the incident exemplifies the need to protect sensitive data.
"Computer loss and theft represents a huge security risk to both individuals and corporations," said John Livingston, CEO of Absolute Software. "A single $1,000 laptop may hold credit card numbers, private client information and years of accumulated knowledge that could cost an organization millions of dollars in business and lawsuits."
The vendor recommends taking steps to limit the possibility of laptop security breaches, including:
- Using deterrents such as cable locks to discourage thieves from stealing laptops;
- Store laptops in less conspicuous bags than the standard carrying cases;
- Use complex passwords and frequently change them;
- Leverage an integrated solution, including anti-virus, anti-spyware, firewall and encryption software;
- Back up sensitive data