AG Announces $935,000 Settlement over Personal Information Breach
California’s Attorney General, Xavier Becerra, has recently announced a $935,000 settlement with health insurance company Aetna (“The Company”). In July 2017, the Connecticut-based company mailed out letters to 1,991 Californians, visibly revealing that the recipients were taking medication for HIV.
According to a news release issued by the Attorney General’s Office, the “incredibly sensitive information” was visible through an enlarged window on envelopes containing the confidential letters.
Aetna had previously settled a lawsuit for $17 million in 2018, for the data breach which occurred during the summer of 2017. In total, the personal information of almost 12,000 customers insured by the firm, was compromised.
According to the Attorney General, Aetna violated state law, as well as the Confidentiality of Medical Information Act - Health and Safety Code, section 120980.
Mr Becerra said in a statement on January 30:
"A person's HIV status is incredibly sensitive information and protecting that information must be a top priority for the entire health care industry, …Aetna violated the public's trust by revealing patients' private and personal medical information. We will continue to hold these companies accountable to prevent such a gross privacy violation from reoccurring."
Aetna's mailing provider used an envelope with a large transparent window which displayed the individuals’ name, address and claim number, as well as instructions relating to HIV medication.
The AG issued injunctive provisions stipulating that the Company will modify its procedures for print mailing member medical information to include the following:
Evaluate whether it is necessary to include medical information in the mailing;
Take steps to ensure that medical information is not visible to third parties through the envelope window; or on the envelope itself before any mailing is sent;
Take steps to confirm that medical information is not visible to third parties through the envelope window; or on the envelope itself before any mailing is sent;
Develop training materials and implement training requirements regarding the Medical Information Mailing Procedure; and
Develop and implement procedures for litigation ("Litigation Procedure") that may involve member Medical Information;
Further requirements of the injunction stipulate that the Company will implement procedures that will:
prevent the inadvertent disclosure of medical information to third parties when medical information may be used in the litigation; an
train Aetna’s litigation staff and retained litigation counsel regarding Aetna’s requirements under HIPAA and applicable federal and state privacy laws.
In addition, for a period of 3 years, the Company will complete an annual privacy risk assessment that specifically addresses member mailings.
For the first 2 years, Aetna shall engage the services of an independent consultant approved by the AG, and the Company shall provide the AG with a report detailing its compliance with the judgment.
The Bay Area Reporter received an email from Becerra stating that the settlement included an injunction to prevent further violations.
The email stated:
"Aetna is required to implement and maintain specific mailing procedures that preserve the confidentiality of medical information, designate an employee responsible for implementation and maintenance of the mailing program, compliance with federal and state privacy laws, and management of external vendors handling medical information, …The company is also required to complete an annual privacy risk assessment evaluating compliance with terms of the settlement for three years."
Aetna staff were “not paying attention”
Scott Schoettes, HIV Project Director at Lambda Legal Defense and Education Fund said:
"Aetna quickly acknowledged that they had made an error and that the error was a violation of these people's privacy," "I don't think it took them very long to recognize that they had blown it."
Mr Schoettes added that the privacy breach occurred because Aetna staff members were not paying attention to what they were doing…
"They weren't ensuring that the labor they were working with recognized the sensitivity of the information they were providing, that it was subject to these protections, and that they needed to make sure the way they were disseminating the information protected that information, …So there was a breakdown between the insurer and the vendor that sent out the notice for them. I think they sometimes don't recognize how important it is to protect confidentiality of information. The law is there to remind them."
Schoettes said he is hopeful that the settlement will encourage other companies to be more mindful about revealing peoples’ confidential information.
A spokesman for Aetna responded via email, saying that the company "through our outreach efforts, immediate relief program, and settlements over the past year" has "worked to address the potential impact to members following this unfortunate incident."
Spokesman Ethan Slavin added:
"In addition, we have implemented measures designed to ensure something like this does not happen again as part of our commitment to best practices in protecting sensitive health information,"
Got something to say about this article? We welcome your comments and opinions.