Aetna has reached an agreement in New Jersey to pay a $365,211.59 civil penalty to settle claims that it allowed the private health information of individuals to be viewed through transparent envelope windows. The insurer will also reportedly pay $100,000 in Connecticut and $175,000 in the District of Columbia for a total of $640,000.
Aetna inadvertently disclosed the HIV/AIDS-related information on thousands of beneficiaries, including about 647 New Jersey residents, according to New Jersey Attorney General Gurbir S. Grewal, in an agreement announced October 10.
The fine is on top of the $17 million expected to be paid by the insurer in compensation to individuals who filed a class action lawsuit.
Learn on-demand, earn credit, find products and solutions. Get Started >>
The settlement with New Jersey resolves two separate privacy breaches. One occured in 2017 and involved a mailing that potentially revealed information about the recipients' HIV or AIDS status.
The second was a mailing that may have revealed the identity of patients with atrial fibrillation who were taking part in a study.
Aetna not only violated federal HIPAA law, but also state laws.
New Jersey conducted the investigation and negotiated the resolution with Connecticut, Washington and the District of Columbia.
WHY THIS MATTERS
Aetna promotes the safeguarding of private health information on its website through "extensive operational and technical protections," the AG's office said.
It slipped up on HIPAA law through a relatively simple mistake.
Aetna failed to ensure that the envelopes used by a claims administrator it hired for sending out notices on the ability for HIV/AIDS members to fill prescriptions in person or by mail were secure. The third party, in turn, said Aetna knew the envelopes it was using for the mailing had a transparent window. Lawsuits were traded.
Whatever the resolution, the HIPAA violation is costing Aetna time, money and the trust of affected beneficiaries.
In April, CVS Health suffered a similar security breach by allowing letters containing information about HIV benefits to be sent in envelopes that had a clear window.
In unrelated news, CVS Health and Aetna received conditional approval last week to move forward with their $69 billion merger.
Under the terms of the New Jersey settlement, Aetna will put in place policy, protocol and training reforms designed to safeguard individuals' protected health information, and ensure the confidentiality of mailings containing that information.
The company also will hire an independent consultant to evaluate and report on its privacy protection practices, and to monitor its compliance with the settlement's injunctive terms.
ON THE RECORD
"Companies entrusted with individuals' protected health information have a duty to avoid improper disclosures," said Attorney General Gurbir Grewal. "Aetna fell short here, potentially subjecting thousands of individuals to the stigma and discrimination that, unfortunately, still may accompany disclosure of their HIV/AIDS status. I am pleased that our investigation has led Aetna to adopt measures to prevent this from happening again."