The health plan Aetna, part of the Aetna Life Insurance Company, has agreed to pay a $1 million penalty to resolve potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Rules.
In 2017, Aetna reported three data breaches to the Department of Health and Human Services’ Office for Civil Rights (OCR) over a 6-month period that involved the impermissible disclosure of the protected health information (PHI) of 18,489 individuals.
OCR launched an investigation to determine whether the breaches were the result of noncompliance with the HIPAA Rules and uncovered several potential violations had contributed to the breaches.
The first incident reported in June 2017 involved the exposure of PHI over the Internet. Aetna had used two web services to provide access to health plan members’ PHI over the Internet but failed to activate controls to prevent unauthorized individuals from accessing the information. Since no login credentials were required, search engines were able to index the files and made them available in the search engine listings. The PHI of 5,002 individuals was exposed, and potentially impermissibly disclosed, as a result.
The second and third breaches concerned the use of window envelopes for communicating with patients. The windows in the envelopes allowed the PHI of plan members to be viewed. The first mailing, sent in July 2017, involved benefit notices for individuals receiving HIV medication either as treatment for HIV or to prevent infection with the virus. The words “HIV Medication” were clearly visible through the windows of the envelopes, along with the individual’s name and address. The PHI of 11,887 individuals was impermissibly disclosed due to the mailing error.
The second incident, which occurred in September 2017, involved a mailing about an atrial fibrillation research study. The name and logo of the research study was visible through the windows of the envelopes along with names and addresses. The PHI of 1,600 individuals was impermissibly disclosed as a result of the error.
The impermissible disclosure of PHI was a violation of 45 C.F.R. § 164.502(a), but it was not the only violation that OCR investigators uncovered. The investigation revealed Aetna had failed to implement appropriate administrative, technical, and physical safeguards to protect the privacy of PHI, which violated 45 C.F.R. § 164.530(c).
Aetna failed to perform a periodic technical and nontechnical evaluation in response to environmental or operational changes affecting the security of protected health information, in violation of 45 C.F.R. § 164.308(a)(8)).
Aetna had not implemented procedures to verify that a person or entity seeking access to PHI is the one claimed, in violation of 45 C.F.R. § 164.312(d)).
Aetna also failed to limit the PHI disclosed to the amount reasonably necessary to accomplish the purpose of the use or disclosure, in violation of 45 C.F.R. § 164.514(d).
When determining whether a financial penalty is appropriate, OCR considers several factors. In this case, the seriousness of the violations warranted a financial penalty. Aetna is also required to adopt a robust corrective action plan to ensure all areas of noncompliance are addressed. OCR will be monitoring Aetna to ensure continued compliance over the next two years.
“When individuals contract for health insurance, they expect plans to keep their medical information safe from public exposure. Unfortunately, Aetna’s failure to follow the HIPAA Rules resulted in three breaches in a six-month period, leading to this million-dollar settlement,” said OCR Director Roger Severino.
The settlement follows on from HIPAA fines imposed by multiple state attorneys general over the data breaches. In 2018, Aetna settled cases with California, Connecticut, New Jersey, New York, and the District of Columbia and paid a total of $2,725,170.59 to resolve those cases. A class action lawsuit was also settled and $17 million in compensation was paid to the victims of the HIV medication mailing error.