Aetna Agreed to Pay Victims of HIV Status Data Breach

Aetna agreed to pay $17,161,200 to settle a class action lawsuit filed by complainants of a mailing error that disclosed sensitive information. The envelopes used had clear plastic windows through which the details of HIV medications prescribed to the sendee were visible. It was not directly Aetna’s fault because a third-party vendor sent the letters.

Some victims complained that the letters in the envelopes slipped so that it revealed that the patients were prescribed HIV drugs.  In many cases, family members, flat mates, friends or neighbors viewed the envelopes and saw the patient’s HIV information. There’s no determined number of patients that had their information disclosed, although 13,487 individuals received the mailing. Some of these people had HIV and were prescribed medications for treatment. Others were taking pre-exposure prophylaxis (PrEP) to avoid contracting HIV.

Because of the breach, many patients experienced hardship and discrimination. Some were forced to leave their families and flatmates to find another accommodation. Others developed relationship problems because of the disclosure. Last August, the Legal Action Center, AIDS Law Project of Pennsylvania, Berger & Montague, P.C. filed a lawsuit to seek damages for the breach victims.

Aetna settled the lawsuit by agreeing to pay $17,161,200, pending Court approval without admission of liability. Aetna also needs to update its policies and procedures to avoid privacy breaches like this from happening again.

Two breaches of privacy allegedly occurred: the improper disclosure of PHI to Aetna’s legal counsel in July and the mailing disclosure of patients taking HIV medications. Both of these breaches violated state laws and the Health Insurance Portability and Accountability Act (HIPAA). About 1,600 victims of improper PHI disclosure will receive $75 as base payment. About 12,000 CLASS member victims of the mailing breach will receive $500 as base payment.

Aetna set up another fund for those who have suffered more harm or losses due to the disclosure. Individuals can apply for additional claims by completing a form documenting the harm they suffered as a result of the privacy breach, whether financial or non-financial.  This is an outreach effort by Aetna to address the impact to members following the privacy breach.

About Christine Garcia 1299 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at