Health insurance giant Aetna, Inc., has agreed to implement additional privacy safeguards and pay the District of Columbia a $175,000 fine after a privacy breach that disclosed some HIV-positive clients’ serostatus.
The settlement, reached earlier this month, resolves a multi-state investigation into the company’s mishandling of confidential, protected health information.
The investigation found that, in July 2017, Aetna mailed notices to approximately 12,000 consumers — including 388 District residents — who receive antiretroviral medications to treat their HIV. The notices contained details about how patients could purchase their medications, and were mailed in envelopes with large, transparent plastic windows that allowed the customers’ names and addresses, along with the word “HIV medications,” to bee seen through the window.
The District of Columbia and several other states sued over the privacy breach, alleging that the disclosure of HIV status violated the federal Health Insurance Portability and Accountability Act, which protects the privacy of health information laws, as well as D.C.’s Consumer Protection Procedures Act.
The District also alleged that Aetna deceived consumers about the company’s ability to safeguard their health information, misleading them about the safeguards in place to prevent such disclosures of confidential information.
As part of the lawsuit, Attorney General Karl Racine noted that Aetna also committed a similar privacy breach when it mailed a notice to 10 District residents with atrial fibrillation, with information about the heart condition listed on the outside of the envelope, in September 2017.
Racine also argued that patients who are HIV-positive are especially vulnerable to stigma and discrimination if their serostatus is made public.
In January 2018, Aetna settled a class action lawsuit that required it to pay $17 million in relief to the 12,000 consumers affected by the breach.
As part of the settlement, Aetna is required to adopt new policies to protect private health information and ensure compliance with HIPAA, an inform consumers of those protections.
Aetna is also required to modify procedures for sending mailings to consumers, including requiring pre-approval of any information printed on the outside of mailed notices, and, in some cases, requiring a cover sheet inside the envelope.
Aetna must also hire independent consultants to ensure they are complying with federal and state protections, as well as the terms of the settlement. Those consultants will provide ongoing reports to Racine’s office over the next two years.
Lastly, Aetna will pay a $175,000 civil penalty to the District, and will set up an immediate relief program designed to address the needs of consumers who were harmed by the breach.
The company has reached similar settlements with the states of Connecticut, Washington State, and New Jersey.
“Every patient should feel confident that their insurance company or health provider will safeguard their confidential medical information,” Racine said in a statement.
He also said that the settlement “will prevent further disclosures” and will put other insurance companies on notice that “they are responsible for protecting consumers’ private medical information.”