Three Data Breaches Result in $1m HIPAA Penalty for Aetna

Aetna Life Insurance Company and the affiliated covered entity (Aetna) have settled a HIPAA compliance violation case with the Department of Health and Human Services’ Office for Civil Rights (OCR) and has agreed to pay a financial penalty of $1 million.

OCR investigated Aetna after receiving three breach reports in 6 months in 2017 from the health insurer. The initial data breach was made known to OCR in June 2017 and was due to the the exposure of the protected health information (PHI) of health plan members online. Two web services were used to show health plan-related documents to its members, but those documents could be viewed over the Internet without the need for any login information.

The absence of authentication permitted the documents to be indexed by search engines and shown in search engine result pages. Aetna’s investigation showed the PHI of 5,002 people had been breached, which included names, insurance identification numbers, claim amounts, procedure service codes, and dates of service.

The second two HIPAA breaches saw highly sensitive information impermissibly disclosed in two separate mailings to plan members. In both of these mailings, window envelopes were used, through which PHI was clearly visible. The first mailing in July 2017 saw benefit notices issued to 11,887 individuals who were being treated with HIV medication, either for treatment or prophylaxis. The term “HIV medication” could be viewed through the windows of the envelope, along with the name and address of each person.

The second mailing, sent in September 2017, related to a research study. 1,600 individuals suffering from an irregular heart rhythm were mailed about the research study, but the name and logo of the atrial fibrillation research study could be viewed through the windows of the envelopes.

These three breaches led to the impermissible disclosure of the PHI of 18,489 individuals. During the investigation, OCR investigators found many other breaches of the HIPAA Rules.

  • Aetna had not carried out periodic technical and nontechnical evaluations of operational amendments impacting the security of plan members’ electronic PHI (ePHI), in violation of 45 C.F.R. § 164.308(a)(8);
  • Processes had not been put in place to prove the identity of individuals or entities looking to access their ePHI, in violation of 45 C.F.R. § 164.312(d);
  • Sharing of ePHI had not been restricted to the minimum necessary information to achieve the aim for the disclosure, in violation of 45 C.F.R. § 164.514(d); and
  • There was an absence of appropriate administrative, technical, and physical security measures to safeguard the privacy of PHI, in violation of 45 C.F.R. § 164.530(c).

OCR Director Roger Severino said: “When individuals contract for health insurance, they expect plans to keep their medical information safe from public exposure. Unfortunately, Aetna’s failure to follow the HIPAA Rules resulted in three breaches in a six-month period, leading to this million-dollar settlement.”

Along with the HIPAA fine, Aetna has agreed to implement a corrective action plan to tackle all areas of HIPAA noncompliance identified by OCR. OCR will be monitoring Aetna closely for noncompliance with the HIPAA Rules for 24 months.

Settlements that added up to $2,725,170 were agreed in 2018 to settle HIPAA breach cases brought by state attorneys general in California ($935,000), Connecticut ($99,959), New Jersey ($365,211.59), New York ($1,150,000) and the District of Columbia ($175,000) in relation to the data breaches. In 2018, Aetna also settled a class action lawsuit filed on behalf of victims of the HIV medication mailing incident for $17 million.


Author: Maria Perez