CVS Health is facing a lawsuit for breach of privacy in allowing letters with the health information about HIV benefits to be sent out in envelopes that had a clear window.
The federal lawsuit was filed March 21 in Ohio by three unidentified plaintiffs who are clients of the Ohio HIV Drug Assistance Program, according to ABC News.
The complaint also names Fiserv, the vendor used by CVS to mail the letters.
A spokesman for the Ohio Department of Health, which oversees the HIV program, referred all comment to CVS Health.
"CVS Health places the highest priority on protecting the privacy of those we serve, and we take our responsibility to safeguard confidential information very seriously," CVS Health said by statement. "Last year, as part of a CVS Caremark benefits mailing to members of an Ohio client, a reference code for an assistance program was visible within the envelope window. This reference code was intended to refer to the name of the program and not to the recipient's health status. As soon as we learned of this incident, we immediately took steps to eliminate the reference code to the plan name in any future mailings."
CVS Health said it could not comment further due to the pending litigation.
The breach occurred in August when CVS Caremark mailed the benefit information to about 4,000 members of the Ohio HIV Drug Assistance Program, a CVS Health spokesman said at the time.
It also happened just after Aetna suffered a similar breach when it mailed to about 12,000 customers in 23 states information on HIV medications. The names and address of the recipients and some of the letter's contents were visible through the clear envelope window.
In January, Aetna agreed to pay about $17 million to resolve the class action lawsuit.