More on Compliance & Legal

Aetna to pay $935,000 in settlement with California in envelope data breach case

The settlement also requires Aetna to implement mailing procedures that protect the confidentiality of medical information.

Beth Jones Sanborn, Managing Editor

Photo Source: The Legal Action CenterPhoto Source: The Legal Action Center

Aetna will pay $935,000 as part of a settlement with the state of California resolving allegations that the insurer violated California health privacy laws in connection with its 2017 breach of patient confidentiality. The incident involved a "mailing error" wherein a vendor for Aetna sent letters to 1,991 Californians that contained sensitive health information regarding recipients' HIV status that was inadvertently revealed through an oversized clear window on the mailed envelopes, California Attorney General Xavier Becerra said in a statement.


The settlement requires Aetna to implement mailing procedures that protect the confidentiality of medical information including ensuring that medical information is not visible through the window of envelopes used. The company must also designate an employee responsible for Aetna's revised mailing program, compliance with privacy laws, and management of external vendors handling medical information.

The settlement also dictates that they complete an annual privacy risk assessment that will evaluate the company's compliance with the terms of the settlement for three years.


In late July 2017, Aetna mailed letters to approximately 12,000 people nationwide, including 1,991 Californians. The letters were mailed in envelopes that had an enlarged window. That window revealed information that the recipient was taking HIV-related medication. Attorney General Becerra argued that Aetna had violated state law by revealing the confidential medical information.

The victims have additionally received over $17 million in compensation through a private class action settlement.

In October, on a separate action, Aetna reached an agreement in New Jersey to pay $365,211 in a civil penalty to settle the privacy claims in that state, as well as other settlements in D.C. and Connecticut.


"A person's HIV status is incredibly sensitive information and protecting that information must be a top priority for the entire healthcare industry," said Attorney General Becerra. "Aetna violated the public's trust by revealing patients' private and personal medical information. We will continue to hold these companies accountable to prevent such a gross privacy violation from reoccurring."

"Through our outreach efforts, immediate relief program and settlements over the past year we have worked to address the potential impact to members following this unfortunate incident.  In addition, we have implemented measures designed to ensure something like this does not happen again as part of our commitment to best practices in protecting sensitive health information," Aetna said in a statement.

Twitter: @BethJSanborn
Email the writer: