Aetna to Pay $17 Million for HIV Breach
There are so many ways to breach protected health information (PHI) – both high tech and low tech – and even Aetna is finding out how expensive a simple low tech breach can be when patients are hurt. Aetna just agreed to pay $17 million because it used open windows on its envelopes.
Last summer the payer sent letters with instructions to members with instructions about filling prescriptions for HIV medications. The information might have been visible without having to open the 12,000 envelopes.
Aetna’s Breach Response to Members
Normally, a breach of this size would prompt an apology, notification of HHS, and a negotiated settlement. Aetna sent a letter to members whose PHI might have been breached, along with instructions on how to contact the Department of Health and Human Service’s Office of Civil Rights.
They payer apologized and said it was taking steps to avoid a repeat breach. It worked with the AIDS Law Project of Pennsylvania and the Legal Action Center to reimburse those who claimed financial hardship because of the breach and offered counseling services.
Attorneys at the AIDS Law Project of Pennsylvania said they were contacted by members whose PHI was exposed. They complained family, neighbors, and employers may have seen the information exposing the members to discrimination, violence, and ostracism.
Breach Agreement Includes Compliance Plan
A southeast Pennsylvania man filed a class action suite on behalf of the 12,000 recipients. The plaintiff claimed his sister saw the letter. Aetna proposed a $17,161,200 settlement to be disbursed to patients to end the suit. While a court approves the settlement, Aetna will pay $500 to members who received the breach letters. Those who allege Aetna improperly shared PHI with their lawyers will get $75.
The agreement outlines how Aetna will send correspondence to patients with HIV-positive diagnoses from now on. It also outlines several compliance practices, such as making sure all of Aetna’s legal counsel reads and agrees to Aetna’s Business Associate Agreement. The organization will also review and update its HIPAA compliance plan.