Aetna Attempts to Recover Privacy Breach Settlement Costs By Filing Further Lawsuit

Another lawsuit has been filed by Aetna in an attempt to recover the costs incurred due to a 2017 privacy breach. The Aetna data breach involved the inadvertent disclosure of patients HIV statuses via a mailing. The mailing vendor used envelopes with clear plastic windows, through which information relating to patients’ HIV medications was visible. About 12,000 patients received the mailing, some of which claim their HIV status was disclosed to other people.

Aetna settled lawsuits filed on behalf of patients whose HIV status was disclosed and paid $17.2 million in January. Another $1.15 million was paid to the New York state attorney general to settle privacy violations. Aetna is trying to get back the costs of the settlements from Kurtzman Carson Consultants, the claims administrator that was in-charge of the botched mailing. Aetna claimed it did not know that the mailing was sent with windowed envelopes. The lawsuit is still ongoing.

Aetna has now filed a lawsuit against the Whatley Kallas law firm and Consumer Watchdog – a Californian advocacy group  – to recover part of the $20 million paid in settlements. The two entities represented the patients in the case that led to the mailing being sent by Kurtzman Carson Consultants. The case that led to the mailing was triggered when Aetna said it required patients to receive their HIV meds by mail. Since the drugs must be refrigerated, the deliveries need to be dispatched in refrigerated containers. That would make it obvious to people that HIV medications were delivered and that would be a violation of patients’ privacy.

The most recent lawsuit claims the plaintiffs were liable for necessitating Aetna to send sensitive data to the Kurtzman Carson Consultants, which Aetna had opposed. Then, PHI was handed to Kurtzman Carson Consultants, but the law firm allegedly failed to make sure that confidential information was protected.

Rosenfield and Flanagan wrote to the insurer saying it would be better for Aetna to focus to remediating its privacy practices rather than pursue abusive and retaliatory strategies in order to avert responsibility for its own failures. Aetna should instead take responsibility for guaranteeing the protection of its customers’ private health information.

According to Aetna, the law company that represent the plaintiffs in the first case was party to the proposal that said windowed envelopes were going to be utilized; however the law company did not raise a red flag.