Aetna to Pay $17 Million for HIV Breach

Aetna to Pay $17 Million for HIV Breach

There are so many ways to breach protected health information (PHI) – both high tech and low tech – and even Aetna is finding out how expensive a simple low tech breach can be when patients are hurt. Aetna just agreed to pay $17 million because it used open windows on its envelopes.

Last summer the payer sent letters with instructions to members with instructions about filling prescriptions for HIV medications. The information might have been visible without having to open the 12,000 envelopes.

Aetna’s Breach Response to Members

Normally, a breach of this size would prompt an apology, notification of HHS, and a negotiated settlement. Aetna sent a letter to members whose PHI might have been breached, along with instructions on how to contact the Department of Health and Human Service’s Office of Civil Rights.

They payer apologized and said it was taking steps to avoid a repeat breach. It worked with the AIDS Law Project of Pennsylvania and the Legal Action Center to reimburse those who claimed financial hardship because of the breach and offered counseling services.

Attorneys at the AIDS Law Project of Pennsylvania said they were contacted by members whose PHI was exposed.  They complained family, neighbors, and employers may have seen the information exposing the members to discrimination, violence, and ostracism.

Breach Agreement Includes Compliance Plan

A southeast Pennsylvania man filed a class action suite on behalf of the 12,000 recipients.  The plaintiff claimed his sister saw the letter. Aetna proposed a $17,161,200 settlement to be disbursed to patients to end the suit. While a court approves the settlement, Aetna will pay $500 to members who received the breach letters. Those who allege Aetna improperly shared PHI with their lawyers will get $75.

The agreement outlines how Aetna will send correspondence to patients with HIV-positive diagnoses from now on.  It also outlines several compliance practices, such as making sure all of Aetna’s legal counsel reads and agrees to Aetna’s  Business Associate Agreement. The organization will also review and update its HIPAA compliance plan.

 

Brad Ericson

Brad Ericson

Director of Publishing at AAPC
Brad Ericson, MPC, CPC, COSC, has been director of publishing for more than 10 years. Before AAPC he was at Optum for 13 years and Aetna Health Plans prior to that. He has been writing and publishing about healthcare since 1979. He received his Bachelor's in Journalism from Idaho State University and his Master's of Professional Communication degree from Westminster College of Salt Lake City.
Brad Ericson

Latest posts by Brad Ericson (see all)

About Has 328 Posts

Brad Ericson, MPC, CPC, COSC, has been director of publishing for more than 10 years. Before AAPC he was at Optum for 13 years and Aetna Health Plans prior to that. He has been writing and publishing about healthcare since 1979. He received his Bachelor's in Journalism from Idaho State University and his Master's of Professional Communication degree from Westminster College of Salt Lake City.

Leave a Reply

Your email address will not be published. Required fields are marked *