Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)
$17.2 Million Settlement for Breach Case Involving HIV InfoAetna's Settlement Points to Need to Pay Attention to Details
A mailing error can have huge consequences. Case in point: Aetna has agreed to a nearly $17.2 million settlement of a class action lawsuit filed in the wake of a July 2017 data breach involving HIV drug information being visible through envelope windows on thousands of letters mailed to members of the company's pharmacy benefits plans.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
The settlement is a reminder about the importance of properly safeguarding all protected health information, especially sensitive data - whether in paper or electronic form.
Ronda Goldfein, executive director of the AIDS Law Project Pennsylvania, which filed the suit last year against Aetna jointly with the Legal Action Center and law firm Berger & Montague P.C. on behalf of the affected individuals, tells Information Security Media Group that the insurer had appeared to have taken the case "quite seriously" and "negotiated in good faith."
The federal court still needs to grant preliminary approval of the settlement reached between the plaintiffs and Aetna, she says.
Other entities need to learn from this case, Goldfein adds. "If they hold confidential health information, they have to be thoughtful about how they handle and transfer that information," she says. "They need to be mindful of the devastating consequences to individuals if not handled properly. Some people have sustained tremendous loss due to their [HIV] status being disclosed [by the mailing] ... including loss of their homes and relationships."
The July 2017 mailing was done by a third-party company that was not named as a defendant in the suit.
A joint statement by the plaintiffs' representatives notes the case alleged that Aetna improperly transmitted to its legal counsel and a mail vendor the names of 13,487 customers who had been prescribed HIV medications and that large transparent window envelopes revealing confidential HIV-related information were sent to 11,875 of them.
Aetna, in a statement provided to ISMG, says, "Through our outreach efforts, immediate relief program and this settlement, we have worked to address the potential impact to members following this unfortunate incident. In addition, we are implementing measures designed to ensure something like this does not happen again as part of our commitment to best practices in protecting sensitive health information."
Under the terms of the proposed settlement, Aetna has agreed to pay nearly $17.2 million to resolve the claims. "All settlement class members will automatically receive a base payment of either $75 to those whose protected health information was allegedly improperly disclosed by Aetna to its legal counsel and mail vendor, or at least $500 - inclusive of the $75 payment above - to those whose privacy was breached by the large-windowed envelope, whichever is applicable," says a statement issued by the plaintiffs.
"In addition, settlement class members whose privacy was breached by the large-windowed envelope ... have the opportunity to seek additional monetary relief through the filing of a claim form documenting financial or nonfinancial harm."
Privacy attorney David Holtzman, vice president of compliance at the security consultancy CynergisTek, says he believes that Aetna likely decided it was in the company's best interest to settle the matter "at what it considered to be a reasonable discount to the estimated cost of actual damages and litigation expense" the company could incur.
"Liability for actions that caused the unauthorized disclosures would be difficult to dispute," he says. "The information disclosed was of a type that was specially protected by a number of states in which the disclosures occurred, meaning individuals would have the right to sue for damages. And there were a number of individuals who alleged they could demonstrate actual, significant harm suffered as a result of the disclosures."
Sensitive Health Data Breaches
Privacy attorney Adam Greene of the law firm Davis Wright Tremaine says the breach offers an important lesson for covered entities and business associates involving paper mailings of confidential patient information.
"If an envelope window is misaligned and reveals patient information, Murphy's Law suggests that the revealed patient information will end up being especially sensitive, such as HIV information," he says. "Accordingly, organizations should audit their systems, such as mailing systems, to prepare for and avert such problems."
Breaches involving sensitive health information also appear to be a sticking point with federal and state regulators.
For instance, the U.S. Department of Health and Human Services' Office for Civil Rights last May issued a resolution agreement including a corrective action plan and $387,000 settlement with St. Luke's-Roosevelt Hospital Center in New York in a breach case affecting only two patients and involving what OCR called, "careless handling of HIV information' (see Big Settlement in Privacy Care Involving 2 Patients, HIV Data).
In that case, OCR says a hospital worker in 2014 impermissibly faxed a patient's PHI, including HIV status, to the individual's employer rather than sending it to the requested personal post office box.
In an even bigger settlement for a breach of sensitive information, OCR in 2011 signed a resolution agreement that included a $1 million payment by Massachusetts General Hospital for an incident involving a hospital worker who left behind on a train papers containing HIV information for 192 patients.
In another mailing-related breach, California's state attorney general in 2014 issued a $150,000 fine against health insurer Anthem in a case involving the mailings in 2011 and 2012 of almost 34,000 letters printed with the Social Security numbers of certain members viewable through the envelopes' windows.
Holtzman says regulators are also likely to scrutinize the Aetna privacy breach. "I believe it is likely that OCR and state attorneys general will take a careful look at the process and procedures of the organizations involved in this incident," he says.
"An inquiry would look into what policies and procedure were in place to handle the production and mailing of documents containing sensitive personal information, including the business associate agreements required under the HIPAA Privacy Rule; whether the policies and procedures were followed in the production and mailing of these letters; and whether the individuals affected by the unauthorized disclosures were provided the notifications required by federal and state law."