HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Aetna Settles Class Action Lawsuit Filed by Victims of HIV Status Data Breach

Aetna has agreed to settle a class action lawsuit filed by victims of a mailing error that resulted in details of HIV medications prescribed to patients being visible through the clear plastic windows of the envelopes. Aetna was not directly responsible for the mailing, instead an error was made by a third-party vendor.

For some of the patients, the letters had slipped inside the envelope revealing the patient had been prescribed HIV drugs. In many cases, those envelopes were viewed by flat mates, family members, neighbors, friends, and other individuals, thus disclosing each patient’s HIV information. Is not known how many patients had their HIV information disclosed, although the mailing was sent to 13,487 individuals. Some of the patients were being prescribed medications to treat HIV, others were taking the medication as Pre-exposure Prophylaxis (PrEP) to prevent contracting the disease.

Many of the patients who were outed as a result of the breach have faced considerable hardship and discrimination. Several patients have had to seek alternative accommodation after been forced to leave their homes by flat mates and relatives. Others have had personal and family relationships severely damaged as a result of the disclosure.

The Legal Action Center, AIDS Law Project of Pennsylvania, and Berger & Montague, P.C., filed a lawsuit in August seeking damages for the victims of the breach. That lawsuit has been settled for $17,161,200 by Aetna, pending Court approval, with no admission of liability. The settlement also requires Aetna to update its policies and procedures to ensure similar privacy breaches are prevented in the future.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

There were two alleged breaches of privacy. There was an improper disclosure of protected health information to Aetna’s legal counsel in July, in addition to the mailing of the Benefit Notices that revealed patients were taking HIV medications. Those privacy breaches violated the Health Insurance Portability and Accountability Act (HIPAA) and several state laws according to the lawsuit.

Individuals who had their PHI improperly disclosed will receive a base payment of $75, while class members who were sent the envelopes with the clear plastic windows will receive a base payment of $500. There are almost 1,600 individuals who will receive the $75 payment and almost 12,000 who will receive a payment of $500.

A fund has also been set up for individuals who have suffered additional harm or losses as a result of the disclosure. Those individuals can apply for additional funds by completing a claim form documenting the financial and non-financial harm they have suffered as a result of the privacy breach.

“Through our outreach efforts, immediate relief program, and this settlement we have worked to address the potential impact to members following this unfortunate incident,” said a spokesperson for Aetna. “In addition, we are implementing measures designed to ensure something like this does not happen again as part of our commitment to best practices in protecting sensitive health information.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.