Aetna Fined Yet Again for Exposing HIV Information

Data Breach , Governance , HIPAA/HITECH

California Attorney General Smacks Health Insurer With Hefty Penalty(HealthInfoSec) • February 1, 2019    Aetna Fined Yet Again for Exposing HIV Information

California's attorney general has hit Aetna with a nearly $1 million penalty in the latest enforcement action against the health insurer following a 2017 breach involving HIV information.

See Also: Sunset of Windows Server 2008: Migrate with Docker

The $935,000 settlement - which awaits state court approval - resolves allegations that Aetna violated California health privacy laws in connection with its 2017 breach of patient confidentiality impacting 12,000 individuals, including 1,991 Californians, according to a statement from California Attorney General Xavier Becerra.

The incident involved a July 2017 mailing mishap in which a vendor for Aetna sent letters to health plan members that revealed through the envelope's oversized clear windows that the recipient was taking HIV-related medication, the statement notes.

A String of Settlements

Earlier, several other states announced settlements with Aetna as a result of the same incident.

In October 2018, after a multistate investigation, Aetna signed a financial settlement agreement with Washington, D.C., for $175,000, Connecticut for $100,000 and New Jersey for $365,000, as well as a settlement with the state of Washington, for which the amount was undisclosed.

In January 2018, Aetna agreed to a $1.15 million settlement with the New York state attorney general's office plus a $17.2 million settlement of a class action lawsuit filed against the company.

The case has also spurred other legal action, including Aetna suing Kurtzman Carson Consultants, a class action settlement administrator company that Aetna says directed the mailing to the health plan members in which the HIV medication information was visible through windowed envelopes (see: Yet Another Twist in Messy Aetna Privacy Breach Case).

Sensitive Data

The breach appears to have drawn so much legal and regulatory attention due to the particularly confidential nature of the data impacted.

"A person's HIV status is incredibly sensitive information and protecting that information must be a top priority for the entire healthcare industry," Becerra said. "Aetna violated the public's trust by revealing patients' private and personal medical information. We will continue to hold these companies accountable to prevent such a gross privacy violation from reoccurring."

image California Attorney General Xavier Becerra

The California attorney general alleges that Aetna's mailing breach violated state law, including the Confidentiality of Medical Information Act, Health and Safety Code section 120980, the State Constitution and the Unfair Competition Law.

In a statement provided to Information Security Media Group, Aetna says: "Through our outreach efforts, immediate relief program and settlements over the past year, we have worked to address the potential impact to members following this unfortunate incident. In addition, we have implemented measures designed to ensure something like this does not happen again as part of our commitment to best practices in protecting sensitive health information."

California's attorney general's office did not immediately respond to an ISMG request for comment on the settlement.

Corrective Actions

As part of the California settlement, Aetna has agreed to take a variety of steps to avoid security mishaps, including:

Modify its procedures for print mailings to health plan members; Evaluate whether it's necessary to include medical information in print mailings; Ensure that business associates or subcontractors sign BA agreements and that Aetna-retained mailing vendors agree to safeguard medical information; Complete three annual privacy risk assessments that address mailings to members.

Quality Control

Whether an organization is preparing a single letter for mailing or hiring a contractor to produce and send materials to a large group of recipients, it must have a quality control process for the design, production and delivery of the finished product to avoid mishaps like the Aetna privacy incident, says privacy attorney David Holtzman, vice president of compliance at security consultancy CynergisTek.

"It is a best practice to develop a quality control checklist to help ensure that the document can be produced in way that fits into the finished mailing package ... that any data processing in the production of the document is checked to ensure the output allows for any PHI to be kept confidential, and that a final quality assurance check [is completed] to physically inspect that the document is stuffed into its envelope to make sure that only the recipient's name and address is showing," he says.

As for the financial settlement in California, Holtzman notes: "Californians enjoy a right to privacy enshrined in their constitution. The legislature has enacted statutory provisions protecting medical information from unauthorized use and disclosure, as well as separate provisions aimed at protecting consumers' personally identifiable information. Violations of these state law protections allow the attorney general to seek penalties of up to $2,500 per violation."

Other HIV Data Breaches

Other data breaches involving HIV-related information have also resulted in sanctions.

An incident involving records containing HIV information for 192 patients that were left on a train in 2011 by a Massachusetts General Hospital worker resulted in a $1 million HIPAA settlement with the U.S. Department of Health and Human Services' Office for Civil Rights.

In 2017, OCR signed a $387,000 settlement agreement with St. Luke's-Roosevelt Hospital Center Inc. in a case involving careless handling of HIV information. That incident involved the impermissible disclosure of sensitive medical information, including HIV status, through the faxing of data about only two patients.

OCR also is investigating the Aetna breach.

The OCR HIPAA Breach Reporting Portal - also known as the "wall of shame" - lists ongoing breach investigations involving Aetna, including the 2017 HIV data incident.

"It is possible that OCR's investigation may resolve the compliance reviews with a formal enforcement action or through voluntary corrective action," Holtzman says. "The agency's compliance and enforcement process can be opaque, so we will have to wait and watch."

OCR did not immediately respond to an ISMG request for comment.

Global Risk

Also grabbing headlines in recent days was a breach of HIV information in Singapore.

The Singapore Ministry of Health on Jan. 28 issued a statement revealing that confidential information of about 14,200 individuals diagnosed with HIV and 2,400 of their contacts was in the possession of an "unauthorized person" and had been illegally disclosed online (see: HIV Data Exposed Online).