Aetna Attempts to Recover Privacy Breach Settlement Costs By Filing Further Lawsuit

Another lawsuit has been filed by Aetna in an attempt to recover the costs incurred due to a 2017 privacy breach. The Aetna data breach involved the inadvertent disclosure of patients HIV statuses via a mailing. The mailing vendor used envelopes with clear plastic windows, through which information relating to patients’ HIV medications was visible. About 12,000 patients received the mailing, some of which claim their HIV status was disclosed to other people.

Aetna settled lawsuits filed on behalf of patients whose HIV status was disclosed and paid $17.2 million in January. Another $1.15 million was paid to the New York state attorney general to settle privacy violations. Aetna is trying to get back the costs of the settlements from Kurtzman Carson Consultants, the claims administrator that was in-charge of the botched mailing. Aetna claimed it did not know that the mailing was sent with windowed envelopes. The lawsuit is still ongoing.

Aetna has now filed a lawsuit against the Whatley Kallas law firm and Consumer Watchdog – a Californian advocacy group  – to recover part of the $20 million paid in settlements. The two entities represented the patients in the case that led to the mailing being sent by Kurtzman Carson Consultants. The case that led to the mailing was triggered when Aetna said it required patients to receive their HIV meds by mail. Since the drugs must be refrigerated, the deliveries need to be dispatched in refrigerated containers. That would make it obvious to people that HIV medications were delivered and that would be a violation of patients’ privacy.

The most recent lawsuit claims the plaintiffs were liable for necessitating Aetna to send sensitive data to the Kurtzman Carson Consultants, which Aetna had opposed. Then, PHI was handed to Kurtzman Carson Consultants, but the law firm allegedly failed to make sure that confidential information was protected.

Rosenfield and Flanagan wrote to the insurer saying it would be better for Aetna to focus to remediating its privacy practices rather than pursue abusive and retaliatory strategies in order to avert responsibility for its own failures. Aetna should instead take responsibility for guaranteeing the protection of its customers’ private health information.

According to Aetna, the law company that represent the plaintiffs in the first case was party to the proposal that said windowed envelopes were going to be utilized; however the law company did not raise a red flag.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: