In a notice posted on its Web site home page entitled “Notice of Retiree/Employee Data Compromise,” AMR Corporation revealed that the company had discovered and reported the data theft on June 4, 2010.
According to the AMR announcement, the hard drive contained images of historical microfilm files including names, addresses, dates of birth, Social Security numbers and “possibly other personal information, as well as a limited amount of bank account information.”
AMR said in some cases, health insurance information – primarily enrollment forms, but also some coverage-related care, treatment, and other administrative materials – “may also have been included.”
The information covered retirees, former employees and a “limited number” of current employees between about 1960 through 1995, the company said. Some of the employee files also contained limited information concerning beneficiaries, dependents, and other employees.
The aviation company said it does not believe health and welfare information on the drive is subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), “considering the age of the files and other factors.” However, AMR insisted it was “committed to HIPAA compliance” and will continue to secure the confidentiality of all health and welfare information that it maintains.
As a result of the theft, AMR said it has put in place additional protective measures including additional physical security, access control, and “computer system vulnerability assessments.” Its internal investigation is ongoing, AMR said.
The company said it has sent letters to those affected by the data breach, offering a one-year credit monitoring service at no cost. It also set up a special Web page with questions and answers at http://www.amrfaq.com/ .