The settlement agreement also calls for privacy best practices and training.
It wasn’t a big data breach, a cyberattack, or the work of some black hat hacker. It was an old-fashioned paper problem. The health insurance giant Aetna has agreed to pay $17 million for allegedly mailing out envelopes exposing nearly 12,000 customers’ HIV-related information, according to an announcement.
The payment is the result of a class-action lawsuit surrounding the July 2017 incident, which was said to be the “world’s largest data breach involving HIV privacy,” causing “significant harm” to recipients, according to the AIDS Law Project of Pennsylvania, the nonprofit law firm that represented the lead plaintiff in the case. Further, the agreement mandates the creation of best practices regarding how Aetna’s retained attorneys handle protected health information.
The settlement pleased attorneys who worked on behalf of affected Aetna customers. They praised the contract for both its compensation requirements and policy mandates.
“The fear of losing control of HIV-related information and the resulting risk of discrimination are barriers to healthcare,” said Ronda B. Goldfein, executive director of the AIDS Law Project of Pennsylvania, which worked on the matter with several other law firms. “This settlement reinforces the importance of keeping such information private, and we hope it reassures people living with HIV, or those on [the anti-HIV drug pre-exposure prophylaxis] PrEP, that they do not have to choose between privacy and healthcare.”
The envelope in question. Courtesy of the AIDS Law Project of Pennsylvania.
In the case, the plaintiffs alleged that Aetna “improperly transmitted” 13,487 names of people who were prescribed HIV drugs. Then they claimed that envelopes with large, see-through windows exposing private HIV information were sent to 11,875 of those individuals. A Pennsylvania resident who takes PrEP emerged as the lead plaintiff in the class-action suit filed last summer, according to the AIDS Law Project.
An Aetna representative told Healthcare Analytics News™ that the company is trying to learn from the stumble.
“Through our outreach efforts, immediate relief program, and this settlement we have worked to address the potential impact to members following this unfortunate incident,” the insurer said in a statement. “In addition, we are implementing measures designed to ensure something like this does not happen again as part of our commitment to best practices in protecting sensitive health information.”
In addition to covering attorneys’ fees, Aetna will pay $75 to people whose information was revealed to the company’s counsel or mail vendor and at least $500 to people whose data leaked in the low-tech envelope breach, according to the settlement agreement. The second group may continue to seek additional money for the breach.
“HIV still has a negative stigma associated with it, and I am pleased that this encouraging agreement with Aetna shows that HIV-related information warrants special care,” the lead plaintiff, whose name was not released, said in a statement.
In the settlement, Aetna also included the new policy surrounding the handling of sensitive information. The insurer must launch the policy no more than 60 days after the final order, provide training, conduct an audit, and maintain records of compliance.