Data breach at AMR Corporation

AMR Corporation, the parent company of American Airlines, sent letters to potentially affected retirees, former employees, and a limited number of current employees about a compromise of certain personal information.

The data, which had been kept by AMR’s pension department, spans a time period from 1960 through 1995, and consists of images of historical microfilm files for approximately 79,000 retirees, former employees, and a limited number of current employees. No customer data was compromised.

AMR officials discovered and reported the theft of a hard drive at AMR headquarters in Fort Worth, Texas, on June 4, 2010. The drive contained images of historical microfilm files, which included names, addresses, dates of birth, Social Security numbers, and possibly other personal information, as well as a limited amount of bank account information.

For some affected individuals, health insurance information (primarily enrollment forms, but also some coverage-related care, treatment, and other administrative materials) may also have been included.

AMR does not believe the health and welfare information contained on the drive is subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), considering the age of the files and other factors. However, AMR is committed to HIPAA compliance, and will continue to take measures to secure the confidentiality of all health and welfare information that it maintains.