The insurer wants $20 million. The legal firm wants Aetna to pay. Patients are due $17 million.
What was perhaps the most prehistoric data breach in recent memory has turned 2 former business allies into foes. The health insurance titan Aetna and its onetime legal services vendor, Kurtzman Carson Consultants (KCC), filed lawsuits against each other this week, following a snail mail snafu that exposed 12,000 customers’ HIV-related information and resulted in a $17 million class-action judgment.
Aetna is seeking at least $20 million, the amount it has spent cleaning up the mess, which the company claims KCC caused, according to a copy of the insurer’s complaint. KCC, meanwhile, refuted the assertions and is pushing the court to slap Aetna with various fines, “in an amount sufficient to have a deterrent effect,” according to KCC’s lawsuit, which it filed a day after Aetna’s complaint.
Aetna alleges that KCC committed “errors, omissions, and gross negligence” in handling the protected health information of the insurer’s customers. KCC claims that the “negligence, carelessness, and recklessness” was on Aetna and its law firm, Gibson, Dunn, and Crutcher.
A spokesperson for Aetna did not immediately return a request for comment, though the general counsel for KCC responded with a statement.
“We strongly deny the allegations, which are demonstrably false,” said Drake D. Foster. “KCC deeply empathizes with people affected by this incident and intends to respond to Aetna consistent with the rights and responsibilities related to this matter.”
The legal battle stems from a July 2017 incident in which the parties allegedly mailed out envelopes with large, transparent windows that left visible private HIV information. The class-action lawsuit filed against Aetna claimed that the company “improperly transmitted” the names of nearly 14,000 people who had been prescribed HIV drugs. What’s more, the see-through envelopes allegedly exposed nearly 12,000 patients, according to the documents.
Last month, Aetna settled the suit, agreeing to pay attorneys’ fees and $75 to those whose information was exposed to the company’s counsel or mail vendor and at least $500 to those whose protected health information appeared in the transparent window of the envelopes. KCC helped Aetna mail the letters.
“The fear of losing control of HIV-related information and the resulting risk of discrimination are barriers to healthcare,” said Ronda B. Goldfein, executive director of the AIDS Law Project of Pennsylvania, which worked on the class-action complaint alongside several other law firms.
In its 6-count lawsuit against KCC, Aetna is requesting the legal services firm to indemnify the insurance company and protect it against related legal liabilities. Aetna also wants KCC to return data regarding health plan members who were slated to receive the mailings. The company alleges that KCC has refused to “return, delete, and destroy” the confidential information.
In its 5-count complaint against Aetna, KCC alleges that the insurer and its attorneys failed to safeguard the victims’ protected health information, thus causing the HIV disclosure. The firm claims Aetna has been sued at least 10 times for the act, in which it allegedly provided more protected health information to KCC than what was necessary. Also, KCC claimed, it sent all documents to its former clients for review.
The AIDS Law Project of Pennsylvania called the incident the “world’s largest data breach involving HIV privacy” ever.