DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

A.G. Schneiderman Announces Settlement With Aetna Over Privacy Breach Of New York Members’ HIV Status

Posted on January 24, 2018 by Dissent

I covered the news of this settlement last week, but note that in the process of investigating this breach, the attorney general’s office discovered a previous breach, too:

NEW YORK – Attorney General Eric T. Schneiderman today announced a settlement with Aetna Inc. (“Aetna”), following claims that Aetna revealed the HIV status of approximately 2,460 New York members through a mailing in July 2017 in which the envelopes’ oversize transparent address window revealed text confirming the members’ HIV status. As part of the settlement, Aetna will pay a $1.15 million civil penalty; develop and maintain enhanced operating procedures with regard to privacy protections of personal health information and personally identifiable information in mailings; and hire an independent consultant to monitor and report on the settlement’s injunctive provisions.

“Through its own carelessness, Aetna blatantly violated its promise to safeguard members’ private health information,” said Attorney General Schneiderman. “Health insurance companies handle personal health information on a daily basis and have a fundamental responsibility to be vigilant in protecting their members. We won’t hesitate to act to ensure that insurance companies live up to their responsibilities to the New Yorkers they serve.”

Click here to read the settlement agreement.

Attorney General Schneiderman opened an investigation in July 2017 following Aetna’s July 28th mailing to 2,460 New York Aetna members with HIV. The mailing was sent in envelopes with a large transparent glassine window that could easily reveal the members’ HIV status, which was noted in the enclosed letter’s text. Due to the large-window envelope and the way in which the letters were folded and inserted in the envelope, individuals’ names, addresses, and claim numbers, as well as the first several lines of the letter containing instructions related to HIV medications, were clearly visible from the outside of the envelope – revealing to third parties the HIV status of some of the New Yorkers who received the letter.

Ironically, Aetna’s July mailing was intended to notify members of a class action lawsuit that, as a part of the lawsuit’s resolution, they could purchase HIV medications at brick and mortar pharmacies instead of via mail order/delivery. The class action suit had challenged the delivery policy since mail order deliveries may compromise member privacy when drug packages are visible to neighbors and family members.

As part of his investigation into the HIV member mailing, Attorney General Schneiderman discovered an additional privacy breach. On September 25, 2017, Aetna sent 163 New Yorkers a mailing containing materials related to a research study regarding atrial fibrillation (AFib), an irregular heartbeat condition that can lead to stroke, heart failure, and other heart-related complications. Aetna’s mailing to members with AFib used envelopes that displayed the logo of the research study, “IMACT-AFIB,” easily viewed by third parties – which could have been interpreted as indicating that the recipient member had an AFib diagnosis.

New York State Public Health Law Section 18 requires that patient information, such as the information at issue here, be revealed only with written authorization from the patient. Moreover, federal law, pursuant to the Health Insurance Portability and Accountability Act (HIPAA), prohibits the disclosure of protected health information, except in very limited circumstances.

Following the Attorney General’s investigation, Aetna agreed to implement and maintain a series of enhanced privacy protections, including modifications to its Standard Operating Procedure for Print/Mailing Quality-Prevention of PHI/unwanted disclosure(s), and Use of Protected Health Information in Litigation – Best Practices Policy to provide enhanced safeguards to protect from negligent disclosure of personal health information and personally identifiable information through mailings.

The investigation of this matter was conducted by Christopher K. Leung, Special Counsel, Health Care Bureau, under the supervision of Susan Cameron, Deputy Bureau Chief of the Health Care Bureau and Lisa Landau, Bureau Chief of the Health Care Bureau. The Health Care Bureau is a part of the Social Justice Division, led by Executive Deputy Attorney General for Social Justice, Matthew Colangelo.

“As an HIV positive person, I was personally horrified to learn of this security breach. A person’s HIV status is a highly private and personal matter and Aetna needs to treat it as such,” said Council Speaker Corey Johnson. “Although it was an accident, revealing this information to third parties was unacceptable. This agreement with the Attorney General will protect the safety and wellbeing of thousands of LGBTQ and HIV positive individuals across the State of New York.”

Source: Attorney General Eric T. Schneiderman

Related posts:

  • Aetna, still looking for scapegoat in HIV disclosure fiasco, sues plaintiffs firms
  • Aetna Pays $1,000,000 to Settle Three HIPAA Breaches
  • A.G. Schneiderman Announces $575,000 Settlement With EmblemHealth After Data Breach Exposed Over 80,000 Social Security Numbers
  • Former California State Contractor Sued Over Breach Of HIV Patient Privacy
Category: Health Data

Post navigation

← Virginia General Assembly to Tackle a Variety of Privacy Related Bills
Ca: Metrolinx claims computers hit by North Korean cyberattack →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • National Health Care Fraud Takedown Results in 324 Defendants Charged in Connection with Over $14.6 Billion in Alleged Fraud
  • Swiss Health Foundation Radix Hit by Cyberattack Affecting Federal Data
  • Russian hackers get 7 and 5 years in prison for large-scale cyber attacks with ransomware, over 60 million euros in bitcoins seized
  • Bolton Walk-In Clinic patient data leak locked down (finally!)
  • 50 Customers of French Bank Hit by Insider SIM Swap Scam
  • Ontario health agency atHome ordered to inform 200,000 patients of March data breach
  • Fact-Checking Claims By Cybernews: The 16 Billion Record Data Breach That Wasn’t
  • Horizon Healthcare RCM discloses ransomware attack in December
  • Disgruntled IT Worker Jailed for Cyber Attack, Huddersfield
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Trump administration is building a national citizenship data system
  • Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy
  • New Jersey Issues Draft Privacy Regulations: The New
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.