Healthcare Information Security

Patient Privacy News

New York Reaches $1.15M Settlement over Aetna Data Breach

The Aetna data breach exposed the PHI of 2,460 New Yorkers, which led to a $1.15 million settlement with the state’s Attorney General.

aetna data breach new york state settlement

Source: Thinkstock

By Elizabeth Snell

- New York Attorney General Eric Schneiderman announced that a $1.15 million settlement has been reached following the Aetna data breach that occurred in 2017.

Aetna sent letters to patients in the mail back in July 2017. Information about ordering prescription HIV drugs was clearly visible through the envelope's clear window, with approximately 12,000 individuals total being impacted by the incident.

The HIV status of 2,460 New Yorkers was exposed, according to Schneiderman. Aetna will need to pay the civil penalty and develop and maintain enhanced operating procedures with regard to protecting PHI and personally identifiable information (PII) in mailings.

The organization will also be required to hire an independent consultant to monitor and report on the settlement’s injunctive provisions.

“Through its own carelessness, Aetna blatantly violated its promise to safeguard members’ private health information,” Schneiderman said in a statement. “Health insurance companies handle personal health information on a daily basis and have a fundamental responsibility to be vigilant in protecting their members. We won’t hesitate to act to ensure that insurance companies live up to their responsibilities to the New Yorkers they serve.”

READ MORE: HIPAA Data Breaches: What Covered Entities Must Know

Schneiderman opened an investigation following the 2017 incident. During that investigation, another data breach was discovered.

“On September 25, 2017, Aetna sent 163 New Yorkers a mailing containing materials related to a research study regarding atrial fibrillation (AFib), an irregular heartbeat condition that can lead to stroke, heart failure, and other heart-related complications,” the AG statement explained. “Aetna’s mailing to members with AFib used envelopes that displayed the logo of the research study, ‘IMACT-AFIB,’ easily viewed by third parties – which could have been interpreted as indicating that the recipient member had an AFib diagnosis.”

In addition to HIPAA regulations, New York state law requires that patient information only “be revealed only with written authorization from the patient.”

Aetna agreed to implement and maintain enhanced privacy protections, the AG office added. The healthcare organization would modify its Standard Operating Procedure for Print/Mailing Quality-Prevention of PHI/unwanted disclosure(s). Aeta must also update its Use of Protected Health Information in Litigation – Best Practices Policy “to provide enhanced safeguards to protect from negligent disclosure of personal health information and personally identifiable information through mailings.”

Council Speaker Corey Johnson said in a statement that it was personally horrifying to learn of the incident because he was an HIV positive person.

READ MORE: $115M Settlement Proposed in Anthem Data Breach Case

“Although it was an accident, revealing this information to third parties was unacceptable,” Johnson stated, stressing that Aetna must treat that data in a personal and private manner. “This agreement with the Attorney General will protect the safety and wellbeing of thousands of LGBTQ and HIV positive individuals across the State of New York.”

Earlier in 2018, Aetna agreed to a $17 million settlement in the wake of the 2017 data breach with the mailings.

Lead plaintiff Andrew Beckett alleged in his original complaint that PHI and confidential HIV-related information “was disclosed improperly by Aetna and/or Aetna-related or affiliated entities, or on their behalf, to third parties, including, without limitation, Aetna’s legal counsel and a settlement administrator, and through a subsequent mailing of written notices that were required to be sent as part of a settlement of legal claims that had been filed against certain Aetna-related entities or affiliates.”

For that settlement, each class member will receive one of the following for payments:

  • $75 to all Settlement Class Members whose Protected Health Information was allegedly disclosed improperly by Aetna to Aetna’s legal counsel and a settlement administrator
  • $500 (inclusive of the $75 dollar payment above) to all Settlement Class Members who were sent the Benefit Notice, whichever is applicable.

Aetna said in response to the 2017 lawsuit that it was implementing measures to ensure the same situation did not happen again. The organization added that it had worked to address the potential impact to its members through outreach efforts and an immediate relief program.

READ MORE: $2M Settlement Reached in Cottage Health Data Breach Case

“The Settlement offers a fair and just way to compensate the Settlement Class Members for potential harm by being sent the Benefit Notice as well as having their confidential HIV-related transferred without required authorization from Aetna to its legal counsel, GDC and mail vendor, KCC,” Legal Action Center Legal Director Sally Friedman said in her declaration of support. “I believe that it will provide a sense of justice and a clear message that their voices were heard, as well as help restore their dignity.”


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks

Continue to site...