Aetna took legal action against Kurtzman Carson Consultants (KCC), the administrative support company that handled the July 2017 mailing for Aetna. That mailing project resulted in a data breach disclosing the details of HIV medications through the envelope’s clear plastic window because the letters inside the envelopes slipped.
The Legal Action Center, AIDS Law Project of Pennsylvania and Berger & Montague, P.C. condemned the privacy breach and filed a class action lawsuit against Aetna in behalf of the breach victims. Aetna paid $17.16 million to settle the lawsuit in January. Aetna paid another $1.15 million to the New York attorney general’s office last month to settle violations of HIPAA and state laws.
There are other class action lawsuits filed against Aetna and more fines are to be expected. Aetna believes that they should not cover the costs associated with the privacy breach that resulted from a third-party’s (alleged) negligence. Aetna is seeking damages from KCC in the amount of $20 million for their error that resulted in the privacy breach.
Aetna claims the following in the lawsuit they filed against KCC:
- KCC’s errors and omissions resulted to gross negligence. The firm should have been aware of the placement of HIV medication information under the plan members’ names and addresses.
- KCC did not perform any checks to determine if information was visible through the envelopes’ plastic windows.
- KCC did not tell Aetna that the mailing will use envelopes with clear plastic windows.
- KCC did not consult Aetna’s lawyers for the approval of the mailing.
Aetna attempted to settle matters directly with KCC but it was not productive. KCC denies all the allegations of Aetna. General counsel Drake Foster said the claims are ‘demonstrably false.’ Hence Aetna had no choice but to take legal action. Aetna wants a ‘hold harmless’ ruling so that it will be shielded from all liability, damages and claims related to the mailing error. The cost of penalties and fines from pending lawsuits and violations is expected reach over $20 million. Aetna also wants KCC to return or destroy all PHI provided to the firm to process the mailing.
KCC filed a counter lawsuit claiming the following:
- Aetna and its lawyers were given letter samples and were informed that the envelopes had clear plastic windows. KCC claims Aetna approved the letters and envelopes.
- The confidential information received by KCC to send the mailing was not subject to a protection order. The information was not encrypted in transit to KCC via Gibson Dunn.
- Aetna shared with KCC information that is not necessary for the mailing, which is a breach of the minimum necessary standard of HIPAA.
KCC is seeking the court’s declaration that the costs arising from the privacy breach is not its responsibility. In addition, all of its legal costs should be shouldered by Aetna.