The Connecticut health insurer Aetna has agreed to pay a financial penalty of $935,000 to the California Attorney General to settle alleged violations of state laws in connection with a 2017 privacy violation.
On July 28, 2017, the mailing vendor of Aetna sent letters to plan members who were receiving HIV positive and receiving medications or were taking HIV medicines for pre-exposure prophylaxis. The letters included information about how plan members would receive their HIV medications; however, windowed envelopes were used for the mailing and details of the HIV medications were visible through the windows of the envelopes resulting in an impermissible disclosure of highly sensitive information. Around 12,000 people received the letter, 1,991 of whom were California residents.
The privacy breach violated HIPAA Rules, although California Attorney General Xavier Becerra took action over the violation of state rules, specifically the California Unfair Competition Law, the Health and Safety Code (section 120980), the Confidentiality of Medical Information Act, and the State Constitution.
Besides the monetary penalty specified in the settlement agreement, Aetna was also required to select an employee to take charge of its mailing processes, supervise compliance with federal and state laws, and the manage third-party vendors to be sure that medical information is handled in full compliance with federal and state laws and Aetna’s policies and procedures. A risk assessment must also be completed every 3 years to check compliance with the settlement agreement.
Aetna has already paid $17,161,200 to settle a class action lawsuit filed on behalf of breach victims and, in January, Aetna paid $1,150,000 to the New York Attorney General to settle violations of state laws and HIPAA. Another $640,170.59 was paid to the Attorneys General in New Jersey, Connecticut, District of Columbia and Washington to settle a multi-state lawsuit related to be privacy violations. With the most recent settlement, Aetna has already paid $2,725,170.59 in financial penalties as a result of the breach.