Aetna Settles HIV Status Breach Case with California AG for $935,000

Hartford, CT-based health insurer Aetna has agreed to pay the California Attorney General $935,000 to resolve alleged violations of state laws related to a 2017 privacy breach that exposed state residents’ HIV status.

On July 28, 2017, Aetna’s mailing vendor sent letters to plan members who were receiving HIV medications or pre-exposure prophylaxis to prevent them from contracting HIV. The letters contained instructions for their HIV medications; however, information about the HIV medications was clearly visible through the window of the envelopes, resulting in the impermissible disclosure of highly sensitive information to postal workers, friends, family members, and roommates.  Approximately 12,000 individuals were sent letter, 1,991 of whom lived in California.

The privacy breach was a violation of HIPAA Rules, and according to California Attorney General Xavier Becerra, also a violation of several California laws including the Unfair Competition Law, the Confidentiality of Medical Information Act, the Health and Safety Code (section 120980), and the State Constitution.

In addition to the financial penalty, the settlement agreement requires Aetna to designate an employee to implement and maintain its mailing program, oversee compliance with state and federal laws, and the management of external vendors to ensure they handle medical data in compliance with state and federal laws and Aetna’s policies and procedures. Aetna is also required to complete an annual privacy risk assessment to evaluate compliance with the terms of the settlement for the next three years.

“A person’s HIV status is incredibly sensitive information and protecting that information must be a top priority for the entire healthcare industry,” said Attorney General Bercerra. “Aetna violated the public’s trust by revealing patients’ private and personal medical information.”

The privacy violation has proven expensive for Aetna. In January 2018, Aetna settled a class action lawsuit filed on behalf of victims of the breach for $17,161,200. Also in January, Aetna agreed to pay the New York Attorney General $1,150,000 to settle its case and resolve alleged HIPAA violations and breaches of state law.

A further $640,170.59 was paid to settle a multi-state action by Attorneys General in New Jersey, Connecticut, Washington, and the District of Columbia. The latest settlement brings the total financial penalties issued to date in relation to the breach to $2,725,170.59.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.