Hartford-based Aetna is settling a lawsuit for $17 million over a privacy breach in which the insurer potentially revealed the HIV status of thousands of customers via letters that were mailed out.
As was reported in August by NPR and others, Aetna said that approximately 12,000 customers were sent a mailer last July that potentially revealed private medical information, though the company also said it wasn’t clear exactly how many were affected since depends on how the letter was positioned in the envelope. According to an NPR report at the time, one example of the mishap was a letter sent to a customer in Brooklyn, N.Y., in which the clear envelope window revealed considerably more than just the person’s address. It also showed the beginning of a letter advising the customer about options "when filling prescriptions for HIV Medic ..."
At the time, the New York City-based Legal Action Center, AIDS Law Project of Pennsylvania, and Philadelphia-headquartered Berger & Montague, P.C. filed a federal class action lawsuit against Aetna “for its repeated failure to respect the privacy rights of people taking HIV medication by mailing its customers Aetna envelopes where their HIV medication was visible through the large transparent window of the envelopes.” The lawsuit, filed in the U.S. District Court for the Eastern District of Pennsylvania, contended that the insurer’s mailing violated several laws by revealing highly confidential HIV information of approximately 12,000 customers in at least 23 states.
In an extraordinary twist, the Center noted that Aetna’s July mailing actually was an attempt to address privacy concerns raised in two lawsuits filed against the insurer in 2014 and 2015. Aetna had wanted customers to get their HIV medications exclusively from mail-order pharmacies rather than retail pharmacies. Customers objected at the time, saying that using the mail could breach their privacy.
As part of the settlement in those cases, Aetna sent the letter 12,000 customers who have taken HIV medications, explaining its revised HIV medication procedures.
In the complaint, the lead plaintiff’s sister learned that he was taking HIV medication from an unopened large-window of an Aetna envelope that revealed the highly confidential information. The plaintiff, identified by the pseudonym Andrew Beckett in the complaint, does not have HIV, the virus that causes AIDS, but takes PrEP as a preventative approach that lowers the risk of becoming infected with the virus.
According to a recent NPR report, “Aetna settled with the individual plaintiffs, changed its policy to allow members to fill HIV prescriptions in person at retail pharmacies, and, in turn, sent out notification letters to anyone who had filled prescriptions for HIV medications.”
Per the NPR report, as part of the payout, the law firms are setting aside at least $12 million for payments of at least $500 to the estimated 11,875 people who may have received a letter exposing that information, acknowledging that "the harm was in the status being disclosed," according to Ronda Goldfein, director of the AIDS Law Project of Pennsylvania.
Aetna wrote in a statement, “"Through our outreach efforts, immediate relief program and this settlement we have worked to address the potential impact to members following this unfortunate incident. In addition, we are implementing measures designed to ensure something like this does not happen again as part of our commitment to best practices in protecting sensitive health information."