Aetna Life Insurance Company and the associated covered entity (Aetna) has decided to resolve several potential HIPAA violations that the Department of Health and Human Services’ Office for Civil Rights (OCR) found in the course of the investigation of three data breaches in 2017.
OCR received a report of the first data breach in June 2017. It involved the exposure of health plan members’ protected health information (PHI) online. Aetna used two web services to show members their health plan-related documents. However, the documents were accessible online with no need for login credentials.
Because there was no authentication implemented, the search engines had indexed the documents and showed the search results. The PHI of 5,002 people were exposed and included names, claim payment amounts, insurance identification numbers, dates of service, procedures service codes.
The second HIPAA breach involved two mailings that exposed and impermissibly disclosed highly sensitive information to plan members. The two mailings used window envelopes that made PHI viewable even without opening them.
In the first mailing sent in July 2017, 11,887 people taking HIV drugs for treatment or prophylaxis received benefit notices. The person’s name, address, and the phrase “HIV medication” were seen through the envelope windows.
The September 2017 second mailing involved a research study on 1,600 persons having an irregular heart rhythm. The name and address of the recipient. as well as the name and logo of the atrial fibrillation research study could be clearly seen through the envelope windows.
These three breaches led to the impermissible disclosure of 18,489 individuals’ PHI. The investigators of the breaces discovered the following HIPAA Rules violations:
Aetna hadn’t conducted routine technical and nontechnical assessments of operational modifications impacting the safety of their electronic PHI (ePHI), which violates 45 C.F.R. § 164.308(a)(8);
Procedures hadn’t been enforced to check the ID of persons or entities trying to access their ePHI, which violates 45 C.F.R. § 164.312(d);
ePHI disclosures were not restricted to the minimum required information to realize the goal for the disclosure, which violates 45 C.F.R. § 164.514(d);
There were insufficient proper administrative, physical and technical safety procedures to protect PHI privacy, which violates 45 C.F.R. § 164.530(c).
“When people get health insurance, they are expecting that their medical information is kept protected from public exposure. Regrettably, Aetna’s inability to comply with the HIPAA Rules led to three breaches within six months and a million-dollar settlement.
Besides the financial fine, Aetna made an agreement to undertake a corrective action plan to correct all aspects of HIPAA noncompliance identified by OCR. OCR is going to monitor Aetna directly for 2 years to ensure noncompliance with the HIPAA Rules.
Aetna already paid settlements totaling $2,725,170 in 2018 to resolve HIPAA violation cases with the state attorneys general in California ($935,000), New Jersey ($365,211.59), Connecticut ($99,959), the District of Columbia ($175,000) and New York ($1,150,000). In 2018, Aetna additionally paid $17 million to resolve a class-action lawsuit filed against it on behalf of patients of the HIV medication mailing breach.
This year’s penalties charged to covered entities and business associates for HIPAA violations resulted to 14 settlements totaling $13,211,500.