Aetna has agreed to pay the California Attorney General $935,000 for a 2017 breach which resulted in the exposure of the HIV status of 1,991 Californian residents.
In July 2017, Aetna, a health insurer based in Hartford, Connecticut, accidentally violated HIPAA Rules when it sent mail to members in which details of HIV medications were visible through the plastic windows of envelopes. This inadvertent disclosure highly sensitive HIV information violated the privacy of all 12,000 individuals affected and allowed friends, families, and loved ones, and even postal service workers to see the data.
The privacy breach was a violation of HIPAA Rules, and according to California Attorney General Xavier Becerra, also a violation of several California laws including the Unfair Competition Law, the Confidentiality of Medical Information Act, the Health and Safety Code (section 120980), and the State Constitution.
Last year, Aetna agreed to a similar settlement with New York Attorney General Eric T. Schneiderman. That settlement agreement acknowledged the severity of the error, as more than 90% of patients diagnosed with HIV face discrimination and prejudice, and approximately one in eight individuals with HIV are denied health services as a result of the stigma associated with HIV and AIDS. A breach of HIV information can, therefore, have severe repercussions for the victims, and irreparably affect their relationships with those who know of the diagnosis.
In addition to the financial penalty, the settlement with the Californian Attorney General requires Aetna to change its policies and procedures to ensure that a breach of this nature does not occur again. These practices include designating an employee to implement and maintain its mailing program, oversee compliance with state and federal laws, and the management of external vendors to ensure they handle medical data in compliance with state and federal laws and Aetna’s policies and procedures. Aetna is also required to complete an annual privacy risk assessment to evaluate compliance with the terms of the settlement for the next three years.
“A person’s HIV status is incredibly sensitive information and protecting that information must be a top priority for the entire healthcare industry,” said Attorney General Bercerra. “Aetna violated the public’s trust by revealing patients’ private and personal medical information.”
This settlement is one of many that Aetna has agreed to pay in the past year. In January 2018, Aetna settled a class action lawsuit filed on behalf of victims of the breach for $17,161,200. Also in January, Aetna agreed to pay the New York Attorney General $1,150,000 to settle its case and resolve alleged HIPAA violations and breaches of state law.
A further $640,170.59 was paid to settle a multi-state action by Attorneys General in New Jersey, Connecticut, Washington, and the District of Columbia. The latest settlement brings the total financial penalties issued to date concerning the breach to $2,725,170.59.
Cyber attacks have become the focus of healthcare organisations in recent years. While the threat to data security posed by such attacks is immense, this case highlights the importance of ensuring that all data, including data sent via traditional means such as the postage system, is protected.