Aetna to Blame for February 2023 Cyberattack by Russian Hackers, Class Action Alleges

New to ClassAction.org? Read our Newswire Disclaimer

A proposed class action lawsuit claims healthcare giant Aetna failed to protect the personal information of approximately 3 million individuals from a cyberattack reportedly detected in early February 2023.

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

The 48-page lawsuit says that between January 28 and 30, IT management software company Fortra, LLC—a third-party vendor used by Aetna through its benefits administration service NationsBenefits—was reportedly hacked by a Russia-linked ransomware group called Clop. The suit relays that Aetna learned on February 9 that it was one of over 130 client organizations impacted by the Fortra data breach.

The ransomware attack—which targeted Fortra’s file transfer platform, GoAnywhere MFT—affected millions of Aetna health plan members and compromised highly sensitive information, such as individuals’ names, physical addresses, dates of birth, member ID numbers, health plan coverage details, Social Security numbers and/or employer names, the case shares.

The complaint contends that Aetna failed to ensure that the data entrusted to Fortra was properly safeguarded and “knowingly disregarded standard information security principles, despite obvious risks.” The defendant apparently has enough control over GoAnywhere to make sure that information sent via the platform is secure, but its failure to supervise IT partner Fortra made the data “easy prey for cybercriminals,” the filing charges.

Although Aetna purports to have learned of the cyberattack in early February, it did not begin notifying victims of the breach until April, nearly three months later, the lawsuit states. This unreasonable delay deprived victims of the opportunity to take steps to secure their data and instead allowed the “damage to spread,” the suit claims.

What’s more, the notices themselves “deliberately underplayed” the seriousness of the breach such that victims are still “in the dark” in regard to what precise information was stolen, how the hackers gained access to the platform and how the vulnerable data will be protected in the future, the case explains.

According to the complaint, though Aetna has offered impacted individuals 24 months of free credit monitoring services, this gesture is inadequate in the face of the lifelong risks of fraud, identity theft and illegal schemes that victims now face.

Despite its negligent conduct, the defendant “largely put the burden on [the victims] to take measures to protect themselves,” the filing charges.

The plaintiff, a New York resident, received an emailed notice from Aetna on May 6 informing her that her private information had been compromised in the breach, the lawsuit relays. Since the incident, the plaintiff claims she has noticed a significant increase in spam calls, texts and emails and even received a fraudulent letter from someone purporting to be the IRS. The woman also learned that, shortly after the data breach, unauthorized parties had attempted to access her email account around 10 times, the case shares.

The lawsuit looks to represent anyone in the United States whose personal information was compromised by the data breach, including those who received notice of the breach.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.