- Aetna has agreed to pay three states and the District of Columbia nearly $650,000 to settle charges it compromised the personal information of thousands of plan members in two separate privacy breaches.
- The settlement is the result of a multistate investigation that included New Jersey, Washington, Connecticut and D.C. Aetna settled with New Jersey, Connecticut and D.C. for $365,000, $100,000 and $175,000, respectively. Washington State is still determining the amount of its settlement.
The settlements stem from two mailings the company made to policyholders in 2017, and underscore the dangers that not only cybercriminals but also employee error and negligence pose to patient privacy.
In July of that year, Aetna disclosed the HIV/AIDS status of 12,000 patients because the envelope's oversized transparent address window allowed the words "HIV Medications" to be seen. Then in September, a mailing to 1,600 enrollees revealed they had a heart condition by including the name and log of a study on atrial fibrillation on the envelope.
The states and D.C. contended that Aetna violated both HIPAA requirements and state laws protecting personal health information and privacy of people with HIV/AIDS.
"Companies entrusted with individuals' protected health information have a duty to avoid improper disclosures," New Jersey Attorney General Gurbir Grewal said in a statement. "Aetna fell short here, potentially subjecting thousands of individuals to the stigma and discrimination that, unfortunately, still may accompany disclosure of their HIV/AIDS status."
A class action lawsuit on behalf of those whose HIV/AIDS status was disclosed previously settled for $17 million earlier this year. The lead plaintiff in that case was not HIV-positive, but was taking Truvada to prevent the disease. Other HIV-negative patients also received the letter, even if they had stopped taking the drug.
An Aetna spokesman said the company has "worked to address the potential impact to members following this unfortunate incident. In addition, we are implementing measures designed to ensure something like this does not happen again as part of our commitment to best practices in protecting sensitive health information."