- Aetna has reached a $17 million settlement following a reported data breach from 2017 where 12,000 individuals were impacted.
The healthcare company Aetna sent letters in the mail where information about ordering prescription HIV drugs was clearly visible through the envelope's clear window.
“…the instructions for the recipient to fill their HIV medication prescription was plainly visible through the large-window section of the envelope,” the original lawsuit read. “Specifically, the visible portion of the letter clearly indicated that it was from Aetna, included a claims number and information for the addressee, and stated ‘[t]he purpose of this letter is to advise you of the options…Aetna health plan when filling prescriptions for HIV Medic…’”
Aetna shall pay $17,161,200 per the settlement, and will also be required to develop and implement best practices for use of PHI in litigation. All Aetna in-house counsel whose primary responsibility is to manage litigation will also need to be properly trained per HIPAA requirements and applicable federal and state privacy laws.
Lead plaintiff Andrew Beckett, which is a pseudonym, alleged in his original complaint that PHI and confidential HIV-related information “was disclosed improperly by Aetna and/or Aetna-related or affiliated entities, or on their behalf, to third parties, including, without limitation, Aetna’s legal counsel and a settlement administrator, and through a subsequent mailing of written notices that were required to be sent as part of a settlement of legal claims that had been filed against certain Aetna-related entities or affiliates.”
The letters from Aetna had originally been sent in response to a settlement over previous data privacy violation worry. The healthcare company had been sued in two separate class-action lawsuits in 2014 and 2015.
“Those lawsuits alleged that Aetna jeopardized the privacy of people taking HIV medications by requiring its insureds to receive their HIV medications through mail and not allowing them to pick up their medications in person at the pharmacy,” according to the 2017 lawsuit.
In response, Aetna said that it is “implementing measures designed to ensure something like this does not happen again as part of our commitment to best practices in protecting sensitive health information.”
“Through our outreach efforts, immediate relief program and this settlement we have worked to address the potential impact to members following this unfortunate incident,” Aetna said in a statement.
Legal Action Center Legal Director Sally Friedman said in her declaration of support for the settlement that the agreement is excellent for the plaintiffs and settlement class.
“The Settlement offers a fair and just way to compensate the Settlement Class Members for potential harm by being sent the Benefit Notice as well as having their confidential HIV-related transferred without required authorization from Aetna to its legal counsel, GDC and mail vendor, KCC,” Friedman stated. “I believe that it will provide a sense of justice and a clear message that their voices were heard, as well as help restore their dignity.”
Each settlement class member will receive one of the following for payments:
- $75 to all Settlement Class Members whose Protected Health Information was allegedly disclosed improperly by Aetna to Aetna’s legal counsel and a settlement administrator
- $500 (inclusive of the $75 dollar payment above) to all Settlement Class Members who were sent the Benefit Notice, whichever is applicable.
Healthcare organizations must take care with storing, transferring, and handling PHI in all of its forms (i.e., electronic and paper). The HIPAA Breach Notification Rule states that a breach has taken place when there is “impermissible use or disclosure” of PHI.
“An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment,” HHS states on its website.
The risk assessment will review the following factors to determine if a breach has occurred:
- The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification
- The unauthorized person who used the protected health information or to whom the disclosure was made
- Whether the protected health information was actually acquired or viewed
- The extent to which the risk to the protected health information has been mitigated.
There are three exceptions though to whether a data breach took place, according to HHS. It is not a breach if there was “unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority.”
HHS also makes an exception for inadvertent PHI disclosure between authorized individuals. This could occur if an authorized provider inadvertently discloses PHI to a hospital that is authorized to access the information from her organization.
Finally, HHS explains that “if the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information,” an investigation may not be necessary.
Healthcare organizations must ensure that all staff members and all business associates are regularly trained on maintaining PHI security. Entities cannot guarantee that an incident will never occur, but it is important to take necessary steps to minimize the chances of an inadvertent insider security breach.