Healthcare Information Security

Patient Privacy News

Recent Aetna Data Breach Leads to Class Action Lawsuit

After an alleged data breach where 12,000 individuals were notified, Aetna now faces a class-action lawsuit over the incident.

class action lawsuit filed against aetna from data breach

Source: Thinkstock

By Elizabeth Snell

- A federal class action lawsuit was recently filed against Aetna after it reportedly experienced a data breach that may have affected thousands of individuals.

The Legal Action Center, AIDS Law Project of Pennsylvania, and Berger & Montague, P.C. filed the lawsuit in the U.S. District Court for the Eastern District of Pennsylvania, claiming that Aetna has repeatedly failed to maintain the privacy of its members.

“In 2014 and 2015, Aetna was sued in two separate class action lawsuits,” the lawsuit explained. “Among other things, those lawsuits alleged that Aetna jeopardized the privacy of people taking HIV medications by requiring its insureds to receive their HIV medications through mail and not allowing them to pick up their medications in person at the pharmacy.”

The most recent incident occurred toward the end of July 2017, when Aetna sent a letter in the mail where information about ordering prescription HIV drugs was clearly visible through the envelope's clear window.

“…the instructions for the recipient to fill their HIV medication prescription was plainly visible through the large-window section of the envelope,” according to the lawsuit. “Specifically, the visible portion of the letter clearly indicated that it was from Aetna, included a claims number and information for the addressee, and stated ‘[t]he purpose of this letter is to advise you of the options…Aetna health plan when filling prescriptions for HIV Medic…’”

READ MORE: HIPAA Data Breaches: What Covered Entities Must Know

Approximately 12,000 individuals in at least 23 states were sent notifications that their information may have been exposed. Aetna has not specified how many individuals were actually affected.

"We sincerely apologize to those affected by a mailing issue that inadvertently exposed the personal health information of some Aetna members," Aetna said in a statement. "This type of mistake is unacceptable, and we are undertaking a full review of our processes to ensure something like this never happens again."

Legal Action Center Legal Director Sally Friedman explained that the privacy breach “has caused turmoil in people’s lives.”

“Some have lost housing, and others have been shunned by loved ones because of the enormous stigma that HIV still carries,” she said in a statement. “This case seeks justice for these individuals. Insurers like Aetna must be held accountable when they fail to vigorously protect people's most private health information."

Aetna “carelessly, recklessly, negligently, and impermissibly revealed” sensitive information, the lawsuit maintains.

READ MORE: $115M Settlement Proposed in Anthem Data Breach Case

One of the lead plaintiffs – who is using the pseudonym Andrew Beckett – does not have HIV but takes Pre-exposure Prophylaxis (PrEP). This is a regiment to help prevent an individual from acquiring HIV, the Legal Action Center stated.

“The man…said his sister learned he was taking HIV medication July 31 when their mail included an envelope from Aetna addressed to Beckett containing instructions, visible through a large transparent window on the envelope, on how to fill his prescription for HIV medication,” explained the Legal Action Center press release.  

Healthcare data breach lawsuits are inherently difficult to determine fault, and have been dismissed or even reversed in the appeals process.

For example, a Federal appeals court reversed a previous ruling in August 2017 over the CareFirst data breach that took place in 2015.  

The US Court of Appeals for the District of Columbia Circuit said “the district court gave the complaint an unduly narrow reading,” and that the plaintiffs “cleared the low bar to establish their standing at the pleading stage.”

READ MORE: Appeals Court Dismisses VA Data Breach Lawsuit

It had been previously ruled that there was a lack of subject matter jurisdiction and that it was not proven that the plaintiffs suffered any injury from the reported data breach.

“The plaintiffs here alleged that the data breach at CareFirst exposed them to a heightened risk of identity theft,” the judges wrote. “The principal question, then, is whether the plaintiffs have plausibly alleged a risk of future injury that is substantial enough to create Article III standing. We conclude that they have.”

The decision added that Article III Standing does not require that a defendant be the most immediate cause of a plaintiffs’ injuries. It only requires that those injuries be “fairly traceable” to the defendant.

“Because we assume, for purposes of the standing analysis, that plaintiffs will prevail on the merits of their claim that CareFirst failed to properly secure their data and thereby subjected them to a substantial risk of identity theft…we have little difficulty concluding that their injury in fact is fairly traceable to CareFirst,” the statement read.


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks