Aetna recently settled a class action lawsuit paying $17.2 million for a data breach last July. The breach involved sending letters to members when details of HIV medications became visible through the plastic windows of the envelopes, disclosing the information to families, friends, loved ones and housemates.
After two months, something very similar happened. Mailing about a research study on atrial fibrillation (aFib) exposed the term IMACT-AFIB through the window of the envelopes. Those who saw the sensitive information thought that the recipient had an AFib diagnosis.
For the September breach, Aetna must pay a $1.15 million settlement with the New York Attorney General to resolve federal and state laws violations. When Attorney General Schneiderman initiated the investigation on the HIV breach in July that impacted 2,460 Aetna members in New York, the investigation also led to the discovery of the September privacy breach that impacted 163 Aetna members in New York.
New York implements strict laws on keeping HIV information secure and confidential. This helps to encourage residents to come forward for HIV testing and treatment. In the case of the HIV breach, over 90% of patients faced discrimination and prejudice. About 1 of 8 patients with HIV was denied health services because they had HIV and AIDS. That’s why New York takes action against health healthcare organizations that violate HIV patient privacy and state laws. HIPAA-covered entities like Aetna are bound by law to safeguard confidentiality of health and HIV information. New York implements several laws to protect residents’ PHI and PII.
In addition to the breach caused by the two mailings, Aetna violated the HIPAA rules again by indirectly providing the PHI of members to a settlement administrator that did not sign a business associate agreement prior to the PHI disclosure. The attorney general’s office determined that Aetna violated 45 C.F.R § 164.502; 42 U.S.C. § 1320d-5 of HIPAA, N.Y General Business Law § 349, N.Y Public Health Law § 18(6), and N.Y Executive Law § 63(12).
Aside from the financial penalty, Aetna needs to update its policies, procedures and security controls to strengthen privacy protections for members and avoid negligent disclosures of PHI and PII by means of mails. The $1.15 million penalty is probably not the last financial penalty that Aetna needs to pay. The mailing was sent to over 12,000 members across the U.S. and not just the 2,460 Aetna members in New York. Other states may also file a lawsuit for the privacy violations of Aetana.