Aetna committed two mailing errors in 2017, which caused the impermissible disclosure of the protected health information (PHI) of its members. Because of the data breach, the HIV statuses and AFib diagnoses of plan members were disclosed to the wrong people.
A class action lawsuit was filed by the victims of the HIV status breach for which Aetna paid a settlement fee of $17 million in January. Aetna additionally settled alleged HIPAA violation cases with the District of Columbia, Connecticut and New Jersey attorneys general.
The first mailing was sent to about 12,000 persons on July 28, 2017 by Aetna’s business associate. Because over-sized windowed envelopes was used for the mailing, not just the recipient’s name and address were visible through the window, but also the phrase “HIV Medications.” In September, a second mailing was sent to 1,600 members. Just like the first mailing, the recipient’s name and address were exposed through the window of the envelope including the IMPACT AFib study logo. That made it obvious that that the mail recipient had atrial fibrillation.
Several states investigated these impermissible disclosure of state residents’ PHI because of potential violations of the Health Insurance Portability and Accountability Act (HIPAA) as well as state laws like the New Jersey AIDS Assistance Act and the Consumer Protection Procedures Act in the District of Columbia.
The investigators affirmed the certainty of the impermissible disclosure of PHI in the two mailing error incidents. Aetna failed to protect the sensitive medical information of members and Aetna deceived consumers to some extent about its ability to safeguard their medical data.
Aetna agreed to settle the violation cases paying the District of Columbia $175,000, the State of Connecticut $99,959, and the State of New Jersey the civil monetary penalty amounting to $365,211.59. Aetna also agreed to pay the State of Washington but there’s no decision yet regarding the suitable settlement amount.
Gurbir Grewal, New Jersey attorney general, said that organizations that get access to the PHI of consumers have a responsibility to secure it and prevent improper disclosures. Aetna failed to fulfill its responsibility and a great number of people that have HIV/AIDS status can potentially be subject to judgment and discrimination. The investigations of Aetna brought about a good course of action from Aetna when it implemented measures to prevent the same breach from happening in the future.
Karl A. Racine, District of Columbia attorney general, said that insurance providers or healthcare providers must make the patients feel assured about the safety of their confidential medical information. The court’s and federal agencies’ decision on Aetna’s cases serves as a forewarning to insurance firms about their responsibility to prevent impermissible disclosures of consumers’ personal data.