Aetna to Pay $17M in HIV Privacy Breach Lawsuit | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Aetna to Pay $17M in HIV Privacy Breach Lawsuit

January 18, 2018
by Rajiv Leventhal
| Reprints

Hartford-based Aetna is settling a lawsuit for $17 million over a privacy breach in which the insurer potentially revealed the HIV status of thousands of customers via letters that were mailed out.

As was reported in August by NPR and others, Aetna said that approximately 12,000 customers were sent a mailer last July that potentially revealed private medical information, though the company also said it wasn’t clear exactly how many were affected since depends on how the letter was positioned in the envelope. According to an NPR report at the time, one example of the mishap was a letter sent to a customer in Brooklyn, N.Y., in which the clear envelope window revealed considerably more than just the person’s address. It also showed the beginning of a letter advising the customer about options "when filling prescriptions for HIV Medic ..."

At the time, the New York City-based Legal Action Center, AIDS Law Project of Pennsylvania, and Philadelphia-headquartered Berger & Montague, P.C. filed a federal class action lawsuit against Aetna “for its repeated failure to respect the privacy rights of people taking HIV medication by mailing its customers Aetna envelopes where their HIV medication was visible through the large transparent window of the envelopes.” The lawsuit, filed in the U.S. District Court for the Eastern District of Pennsylvania, contended that the insurer’s mailing violated several laws by revealing highly confidential HIV information of approximately 12,000 customers in at least 23 states.

In an extraordinary twist, the Center noted that Aetna’s July mailing actually was an attempt to address privacy concerns raised in two lawsuits filed against the insurer in 2014 and 2015. Aetna had wanted customers to get their HIV medications exclusively from mail-order pharmacies rather than retail pharmacies. Customers objected at the time, saying that using the mail could breach their privacy.

As part of the settlement in those cases, Aetna sent the letter 12,000 customers who have taken HIV medications, explaining its revised HIV medication procedures.

In the complaint, the lead plaintiff’s sister learned that he was taking HIV medication from an unopened large-window of an Aetna envelope that revealed the highly confidential information. The plaintiff, identified by the pseudonym Andrew Beckett in the complaint, does not have HIV, the virus that causes AIDS, but takes PrEP as a preventative approach that lowers the risk of becoming infected with the virus.

According to a recent NPR report, “Aetna settled with the individual plaintiffs, changed its policy to allow members to fill HIV prescriptions in person at retail pharmacies, and, in turn, sent out notification letters to anyone who had filled prescriptions for HIV medications.”

Per the NPR report, as part of the payout, the law firms are setting aside at least $12 million for payments of at least $500 to the estimated 11,875 people who may have received a letter exposing that information, acknowledging that "the harm was in the status being disclosed," according to Ronda Goldfein, director of the AIDS Law Project of Pennsylvania.

Aetna wrote in a statement, “"Through our outreach efforts, immediate relief program and this settlement we have worked to address the potential impact to members following this unfortunate incident. In addition, we are implementing measures designed to ensure something like this does not happen again as part of our commitment to best practices in protecting sensitive health information."

2018 Philadelphia Health IT Summit

Renowned leaders in U.S. and North American healthcare gather throughout the year to present important information and share insights at the Healthcare Informatics Health IT Summits.

May 21 - 22, 2018 | Philadelphia

Topics

News

Boston Children's Accelerates Data-Driven Approach to Clinical Research

In an effort to bring a more data-driven approach to clinical research, Boston Children’s Hospital has joined the TriNetX global health research network.

Paper Records, Films Most Common Type of Healthcare Data Breach, Study Finds

Despite the high level of hospital adoption of electronic health records and federal incentives to do so, paper and films were the most frequent location of breached data in hospitals, according to a recent study.

AHA Appoints Senior Advisor for Cybersecurity and Risk

The American Hospital Association (AHA) has announced that John Riggi has joined the association as senior advisor for cybersecurity and risk.

Report: Healthcare Accounted for 45% of All Ransomware Attacks in 2017

Healthcare fell victim to more ransomware attacks than any other industry in 2017, according to a new report from global cybersecurity insurance company Beazley.

Study: Use of EHRs Does Not Reduce Administrative Costs

A recent study by Duke University and Harvard Business School researchers found that costs for processing a single bill ranged from $20 for a primary care visit to $215 for an inpatient surgical procedure, or up to 25 percent of revenue.

Kibbe to Step Down as CEO of DirectTrust

David Kibbe, M.D., M.B.A., announced he would step down as president and CEO of DirectTrust at the end of the year.