Health insurance company Aetna has reach an agreement to to a HIPAA penalty of $935,000 to the California Attorney General in relation to alleged violations of state laws during a 2017 privacy breach that released state residents’ HIV status.
On July 28, 2017, Aetna’s mailing supplier sent letters to plan subscribers who were receiving HIV medications or pre-exposure prophylaxis to stop them from contracting HIV. The letters included instructions for their HIV medications; however, data about the HIV medications was clearly viewable through the transparent window of the envelopes, resulting in the impermissible disclosure of highly sensitive details to postal workers, friends, family members, and roommates. Almost 12,000 people were sent letter, 1,991 of whom resided in California.
The incident was a breach of HIPAA Rules, and according to California Attorney General Xavier Becerra, also did not comply with a number of several California laws including the Unfair Competition Law, the Confidentiality of Medical Information Act, the Health and Safety Code (section 120980), and the State Constitution.
Along with the financial penalty, the settlement agreement directs Aetna to designate an employee to put in place and maintain its mailing program, oversee compliance with state and federal laws, and the management of external vendors to ensure they manage medical data in compliance with state and federal laws and Aetna’s policies and processes. Aetna is also directed to carry out an annual privacy risk assessment to evaluate compliance with the terms of the settlement for the next three years.
California Attorney General Bercerra said: “A person’s HIV status is incredibly sensitive information and protecting that information must be a top priority for the entire healthcare industry Aetna violated the public’s trust by revealing patients’ private and personal medical information.”
The privacy violation has been costly for Aetna. In January 2018, Aetna settled a class action lawsuit submitted on behalf of victims of the breach for $17,161,200. Also in January, Aetna agreed to pay the New York Attorney General $1,150,000 to settle its case and resolve what were believed to be HIPAA violations and breaches of New York state legislation.
An additional $640,170.59 was paid to settle a multi-state legal action by Attorneys General based in New Jersey, Connecticut, Washington, and the District of Columbia. The most recent settlement brings the total financial penalties issued to date in relation to the HIPAA violation to $2,725,170.59.