- Aetna has agreed to pay $1 million in settlements to resolve three separate potential HIPAA violations in 2017 that affected more than 18,000 people, the HHS Office for Civil Rights announced Wednesday.
- The largest breach, affecting nearly 12,000 members, occurred when benefit notices were mailed with the words "HIV medication" visible through the envelope's address window. Three months later, a similar violation involved the logo of an atrial fibrillation study on the outside of a mailer sent to 1,600 participating members.
- In addition to the payout, Aetna agreed to a corrective action plan with two years of monitoring. It also requires the insurer to perform additional training for staff who handle personal health information. Aetna is not admitting liability as a part of the settlement.
Unlike other recent settlements, the breaches Aetna reported were not the result of malicious outside actors.
Last month, a Georgia orthopaedic practice agreed to pay $1.5 million after a hacker gained access to information on more than 200,000 patients. Also this year, OCR said Lifespan would pay $1.04 million for potential HIPAA violations resulting from a stolen laptop.
OCR said that in addition to the breaches, Aetna did not evaluate changes affecting the security of electronic PHI, limit exposure of PHI to only the number of staff necessary to complete tasks and failed to "have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI."
The first of the three breaches over a six-month period resulted from web services Aetna used to display plan documents being accessible without login credentials. The documents containing names, claim payments and procedure codes related to about 5,000 members were found to have been indexed by multiple search engines.
OCR in recent months has had a focus apart from HIPAA. The department has reached several settlements with providers who have allegedly denied patients access to electronic health information, known as right of access.