- Aetna will pay California $935,000 for its 2017 privacy breach, stemming from a mailing error that inadvertently revealed the HIV-related information of 1,991 Californians and 12,000 total patients by the envelope’s clear window.
The settlement resolves the allegations that Aetna violated the state’s privacy laws concerning patient confidentiality. On July, 28, 2017, the insurer’s mailing vendor sent patients instructions for their HIV medications in an envelope with oversized clear windows. The contents could be clearly seen from the outside.
Attorney General Xavier Becerra explained that in doing so, Aetna violated several California state laws including, Confidentiality of Medical Information Act, Health and Safety Code section 120980, the State Constitution, and the Unfair Competition Law.
“A person’s HIV status is incredibly sensitive information and protecting that information must be a top priority for the entire healthcare industry,” Becerra said in a statement. “Aetna violated the public’s trust by revealing patients' private and personal medical information.”
“We will continue to hold these companies accountable to prevent such a gross privacy violation from reoccurring,” he added.
In addition to the fine, Aetna must implement and maintain mailing procedures that ensure the confidentiality of medical data, with steps to guarantee that information isn’t visible through envelope windows.
Further, the insurer must designate an employee to be responsible for the implementation and maintenance of the mailing program, along with ensuring compliance with state and federal privacy laws and managing how external vendors handle medical data in compliance with the insurer’s policies.
For the next three years, Aetna will also be mandated to complete an annual privacy risk assessment that will evaluate compliance with the settlement terms.
In January 2018, Aetna settled with the 12,000 individuals impacted by the breach for $17 million in the U.S. District Court for the Eastern District of Pennsylvania. In October 2018, the insurer reached settlements with Connecticut, Washington, New Jersey, and Washington, D.C. over the 2017 mailing breach and a second mailing breach of about 1,600 cardiac patients.