I covered the news of this settlement last week, but note that in the process of investigating this breach, the attorney general’s office discovered a previous breach, too:
NEW YORK – Attorney General Eric T. Schneiderman today announced a settlement with Aetna Inc. (“Aetna”), following claims that Aetna revealed the HIV status of approximately 2,460 New York members through a mailing in July 2017 in which the envelopes’ oversize transparent address window revealed text confirming the members’ HIV status. As part of the settlement, Aetna will pay a $1.15 million civil penalty; develop and maintain enhanced operating procedures with regard to privacy protections of personal health information and personally identifiable information in mailings; and hire an independent consultant to monitor and report on the settlement’s injunctive provisions.
“Through its own carelessness, Aetna blatantly violated its promise to safeguard members’ private health information,” said Attorney General Schneiderman. “Health insurance companies handle personal health information on a daily basis and have a fundamental responsibility to be vigilant in protecting their members. We won’t hesitate to act to ensure that insurance companies live up to their responsibilities to the New Yorkers they serve.”
Click here to read the settlement agreement.
Attorney General Schneiderman opened an investigation in July 2017 following Aetna’s July 28th mailing to 2,460 New York Aetna members with HIV. The mailing was sent in envelopes with a large transparent glassine window that could easily reveal the members’ HIV status, which was noted in the enclosed letter’s text. Due to the large-window envelope and the way in which the letters were folded and inserted in the envelope, individuals’ names, addresses, and claim numbers, as well as the first several lines of the letter containing instructions related to HIV medications, were clearly visible from the outside of the envelope – revealing to third parties the HIV status of some of the New Yorkers who received the letter.
Ironically, Aetna’s July mailing was intended to notify members of a class action lawsuit that, as a part of the lawsuit’s resolution, they could purchase HIV medications at brick and mortar pharmacies instead of via mail order/delivery. The class action suit had challenged the delivery policy since mail order deliveries may compromise member privacy when drug packages are visible to neighbors and family members.
As part of his investigation into the HIV member mailing, Attorney General Schneiderman discovered an additional privacy breach. On September 25, 2017, Aetna sent 163 New Yorkers a mailing containing materials related to a research study regarding atrial fibrillation (AFib), an irregular heartbeat condition that can lead to stroke, heart failure, and other heart-related complications. Aetna’s mailing to members with AFib used envelopes that displayed the logo of the research study, “IMACT-AFIB,” easily viewed by third parties – which could have been interpreted as indicating that the recipient member had an AFib diagnosis.
New York State Public Health Law Section 18 requires that patient information, such as the information at issue here, be revealed only with written authorization from the patient. Moreover, federal law, pursuant to the Health Insurance Portability and Accountability Act (HIPAA), prohibits the disclosure of protected health information, except in very limited circumstances.
Following the Attorney General’s investigation, Aetna agreed to implement and maintain a series of enhanced privacy protections, including modifications to its Standard Operating Procedure for Print/Mailing Quality-Prevention of PHI/unwanted disclosure(s), and Use of Protected Health Information in Litigation – Best Practices Policy to provide enhanced safeguards to protect from negligent disclosure of personal health information and personally identifiable information through mailings.
The investigation of this matter was conducted by Christopher K. Leung, Special Counsel, Health Care Bureau, under the supervision of Susan Cameron, Deputy Bureau Chief of the Health Care Bureau and Lisa Landau, Bureau Chief of the Health Care Bureau. The Health Care Bureau is a part of the Social Justice Division, led by Executive Deputy Attorney General for Social Justice, Matthew Colangelo.
“As an HIV positive person, I was personally horrified to learn of this security breach. A person’s HIV status is a highly private and personal matter and Aetna needs to treat it as such,” said Council Speaker Corey Johnson. “Although it was an accident, revealing this information to third parties was unacceptable. This agreement with the Attorney General will protect the safety and wellbeing of thousands of LGBTQ and HIV positive individuals across the State of New York.”
Source: Attorney General Eric T. Schneiderman