Two mailing errors in 2017 resulted in the impermissible disclosure of Aetna plan members’ protected health information (PHI). As a result of the errors, HIV statuses and AFib diagnoses of plan members were visible through the plastic windows of envelopes containing the letters.
A class action lawsuit was filed on behalf of the victims of the HIV status breach, which Aetna settled in January for $17 million. Now settlements have been agreed with the states of New Jersey, and Connecticut and the District of Columbia to resolve the HIPAA violations associated with the privacy breaches. A settlement is expected with Washington, although the penalty amount has yet to be agreed.
The first mailing was sent by a business associate of Aetna to approximately 12,000 individuals on July 28, 2017. Over-sized windowed envelopes were used, which made it possible to see the names and addresses of the recipient but also the words “HIV Medications.” The second mailing was sent to 1,600 individuals in September. As with the first mailing, in addition to names and addresses, other information was visible through the window of the envelope. In this case it was the logo of the IMPACT AFib study, which indicated the recipient had been diagnosed as having atrial fibrillation.
The impermissible disclosures of PHI were investigated by several states. The mailings were determined to have violated Health Insurance Portability and Accountability Act (HIPAA) Rules and state laws such as the New Jersey AIDS Assistance Act and the Consumer Protection Procedures Act in DC.
The investigators determined there had been an impermissible disclosure of PHI in both mailings, that Aetna failed to safeguard the confidential medical data of consumers, and Aetna had degree deceived people regarding its capability to keep their medical information secure.
Aetna has agreed to settle with the State of Connecticut for $99,959, with the District of Columbia for $175,000, and with the State of New Jersey for $365,211.
New Jersey attorney general Gurbir Grewal said that companies given access to PHI have an obligation to protect it against improper disclosures. Aetna failed in fulfilling that responsibility and potentially subjected a large number of people with HIV/AIDS to discrimination and judgment.
District of Columbia attorney general Karl A. Racine stated that patients must feel assured that their confidential medical information is safe with their insurance provider or healthcare provider.