HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Aetna Files Further Lawsuit in an Attempt to Recover Costs from 2017 HIV Status Privacy Breach

There have been further developments in the ongoing legal battles over a 2017 privacy breach experienced by Aetna involving the exposure of patients’ sensitive health information. A further lawsuit has been filed by the insurer in an attempt to recover the costs incurred as a result of the breach.

Ongoing Legal Battles Over the Exposure of Patients’ HIV Statuses

In 2017, the health insurer Aetna experienced a data breach that saw highly sensitive patient information impermissibly disclosed to other individuals. A mailing vendor sent letters to patients using envelopes with clear plastic windows and information about HIV medications were allegedly visible. The mailings related to HIV medications used to treat patients who had already contracted HIV and individuals who were taking drugs as pre-exposure prophylaxis. Approximately 12,000 patients received the mailing.

Lawsuits were filed on behalf of patients whose HIV positive status was impermissibly disclosed, which were settled in January for $17.2 million. A settlement was agreed with the New York state attorney general for a further $1.15 million to resolve the privacy violations.

Following on from those settlements, Aetna attempted to recover the cost of the settlements from Kurtzman Carson Consultants, the administrator who allegedly directed the mailing vendor to send the letters to patients that exposed their PHI. Aetna maintains that Kurtzman Carson Consultants did not communicate to Aetna that the mailing was being sent using windowed envelopes. The lawsuit is ongoing.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Further Lawsuit Filed Against Two Firms Representing Breach Victims

Now a lawsuit has been filed by Aetna against the law firm Whatley Kallas and the Californian advocacy group Consumer Watchdog in an attempt to recover at least part of the $20 million in settlements already paid. Consumer Watchdog and Whatley Kallas represented patients in a previous case that led to the sending of the notification letters that exposed patients’ sensitive information.

The privacy breach that led to the $20 million settlement occurred in response to a previous privacy incident that Aetna was sued over. That initial privacy breach related to a requirement for patients who had been prescribed HIV medication to receive the drugs by mail rather than collecting them in person. Since the drugs need to be kept refrigerated, and are dispatched in refrigerated containers, it was alleged that this would violate patients’ privacy as it would be clear to neighbors and co-workers that HIV drugs were being delivered.

The latest lawsuit alleges the plaintiffs were responsible for requiring Aetna to send sensitive information to the Kurtzman Carson Consultants, which Aetna was against and that after that information was passed to Kurtzman Carson Consultants, the plaintiffs failed to ensure the confidential information was protected.

Whatley Kallas had recommended using Kurtzman Carson Consultants and Consumer Watchdog were involved to make sure Aetna made good on its promise to change the requirements for patients to have the drugs sent by mail.

Harvey Rosenfield and Jerry Flanagan of Consumer Watchdog explained to Reuters, that they “edited the text of the letter to make sure we held Aetna’s feet to the fire,” but did not receive any protected health information and were not aware that windowed envelopes were being used and maintain Aetna is making “frivolous claims.”

“If Aetna believes that an attack on lawyers for Consumer Watchdog and Whatley Kallas LLP will be a cost-free exercise in retaliation, it is deeply mistaken,” wrote Rosenfield and Flanagan in a letter to the insurer, concluding “Aetna would be well advised to focus on remediation of its privacy practices on a nationwide basis as we are seeking in this action, instead of pursuing abusive and retaliatory tactics that seek to evade liability for its own failings and suggest that Aetna still does not take responsibility for ensuring that its customers’ private medical information is protected.”

While this may appear to be a case of passing the buck at face value, the case is not as frivolous as it may sound. According to Aetna, the law firm representing the plaintiffs in the original case were allegedly party to a proposal that stated windowed envelopes were going to be used, but the law firm failed to raise a red flag.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.