In July 2017, Aetna, a health care company, accidentally violated HIPAA Rules when it sent mail to members in which details of HIV medications were clearly visible through the plastic windows of envelopes. This inadvertent disclosure highly sensitive HIV information violated the privacy of all 13,487 individuals affected and allowed friends, families, and loved ones, and even postal service workers to see the information.
A little more than two months later, a similar privacy breach occurred. This time the mailing related to a research study regarding atrial fibrillation (AFib) in which the term IMACT-AFIB was visible through the window of the envelope. Anyone who saw the envelope could have deduced the intended recipient had an AFib diagnosis.
The July breach triggered a class action lawsuit against the company. It was recently settled by Aetna for $17.2 million, with individuals receiving up to $500. Aetna must now also cover a $1.15 million settlement with the New York Attorney General to resolve violations of federal and state laws.
As 2,460 of the individuals affected by the Aetna breach live din New York, Attorney General Schneiderman launched an investigation following the breach of HIV information in July. The September privacy breach was discovered during the course of that investigation. A further 163 New York Aetna members had their privacy violated by the September mailing.
The settlement agreement explains that more than 90% of patients diagnosed with HIV face discrimination and prejudice, and approximately one in eight individuals with HIV are denied health services as a result of the stigma associated with HIV and AIDS. A breach of HIV information can therefore have severe repercussions for the victims, and irreparably affect their relationships with those who know of the diagnosis.
New York has implemented strict laws that require HIV information to be kept secure and confidential to ensure its residents are not discouraged from coming forward to be tested and treated for HIV. It is therefore important that action is taken against organisations and individuals who violate state laws by disclosing HIV information.
As a HIPAA-covered entity, Aetna is required to implement safeguards to ensure the confidentiality of health and HIV information. Several laws in New York also require safeguards to be implemented to protect personal health information and personally identifiable information, such as names, addresses, or social security numbers. In the two latest breaches, it failed to do so, violating HIPAA in the process.
Aetna further violated HIPAA Rules when it provided the personal health information of its members to outside counsel who in turn gave that information to a settlement administrator. While the outside counsel was a business associate of Aetna and had signed a business associate agreement, its subcontractor, the settlement administrator, was also a business associate yet no business associate agreement was entered into prior to the disclosure of PHI.
The office of the attorney general determined Aetna’s two mailings violated 45 C.F.R § 164.502; 42 U.S.C. § 1320d-5 of HIPAA, N.Y General Business Law § 349, N.Y Public Health Law § 18(6), and N.Y Executive Law § 63(12).
The settlement agreement considers that Aetna had reported a further three HIPAA breaches to the Office for Civil Rights in the past 24 months, which in total impacted more than 25,000 individuals; a bad track record.
In addition to the financial penalty, Aetna has agreed to update its policies, procedures and controls to enhance the privacy protections for its members and protect them from negligent disclosures of personal health information and personally identifiable information through its mailings.
“Through its own carelessness, Aetna blatantly violated its promise to safeguard members’ private health information,” said Attorney General Eric T. Schneiderman. “Health insurance companies handle personal health information on a daily basis and have a fundamental responsibility to be vigilant in protecting their members. We won’t hesitate to act to ensure that insurance companies live up to their responsibilities to the New Yorkers they serve.”
Aetna may have more financial penalties levied against it in the future. This $115 million settlement only resolves the privacy violations of 2,460 Aetna members in New York state. The mailing was sent to around 12,000 Aetna members across the United States. It is possible that other states will similarly take action over the privacy violations. The Department of Health and Human Services’ Office for Civil Rights is also investigating the data breach and may choose to penalise the insurer for violating HIPAA Rules.