Aetna Breach Case Gets MessierNew Lawsuits Filed in the Wake of 2017 Mailing Mishap
A case involving a 2017 privacy breach that has already cost health insurer Aetna about $20 million in legal settlements is getting messier.
And while two new legal battles related to the breach incident begin to play out in federal courts, some experts say the case is offering early lessons to covered entities and business associates about the importance of good vendor management practices.
"This current litigation playing out between Aetna and its contractors should serve as the poster child for why healthcare organizations need to have sound vendor management practices," says privacy attorney David Holtzman, vice president of compliance at security consultancy CynergisTek.
Problems With Mailing
At the center of the new legal controversies brewing in two federal courts is a July 2017 mailing of letters to about 12,000 Aetna plan members in several states containing HIV drug information that was visible through the envelopes' transparent windows (see Aetna Mailing Mishap Exposes HIV Drug Information).
Ironically, those ill-fated mailings were notices to the plan members related to an earlier legal case against Aetna in which the insurer ultimately agreed to provide its plan members options for how they can fill their HIV medication prescriptions.
Aetna last month settled two lawsuits related to that mailing mishap. That includes a $17.2 million settlement in a class action lawsuit filed against the company last year, and a $1.15 million settlement with the New York state attorney general's office.
In both those settlements, Aetna also agreed to beef up protections to ensure the privacy of personal health information and personally identifiable information in mailings.
But now Aetna is seeking at least $20 million in reimbursement from the company it says is responsible for the mailing of those windowed envelopes.
On Feb. 5, Aetna filed a lawsuit in a Pennsylvania federal court against Kurtzman Carson Consultants, a class action settlement administrator company that Aetna says directed the mailing to the health plan members in which the HIV medication information was visible through windowed envelopes.
Among other allegations, Aetna claims that KCC did not advise Aetna or its counsel that it intended to use a window envelope to mail the notice to Aetna's health plan members.
In its complaint against KCC, Aetna says it is seeking reimbursement and damages from KCC for "KCC's acts, errors, omissions and gross negligence relating to the handling of Aetna members' protected health information and the mailing of a notice to approximately 12,000 Aetna members in window envelopes which, under certain circumstances, potentially disclosed protected health information of the recipient to unauthorized third parties."
But on Feb. 6, in a California federal court, KCC counter-sued Aetna and also named Gibson Dunn, the health insurers' legal counsel in the earlier prescription lawsuit case against Aetna, as a defendant in the countersuit case.
Among other demands, KCC in its suit is seeking "a declaratory judgment that KCC has no obligation to provide indemnity, contribution and/or reimbursement to Aetna under any circumstances."
KCC alleges, among other claims, that Gibson Dunn and Aetna provided KCC "with far more PHI of Aetna insureds than was minimally necessary for KCC to perform its job function. Without Aetna and Gibson having provided the PHI of the Aetna insureds, KCC would have had no direct access to or control over the PHI, which at all times was provided by Aetna and Gibson."
In addition to other allegations, KCC also claims the PHI for the Aetna plan member mailing was sent by Gibson Dunn to KCC via unencrypted email.
Stephen Wu of the law firm Silicon Valley Law Group notes that the case also opens up a number of questions, including whether Aetna had an appropriate HIPAA business associate agreement in place with Gibson Dunn, and whether Gibson Dunn had a BA agreement with KCC.
" This is a Keystone Cops case."
—Attorney Stephen Wu
"This is a Keystone Cops case," Wu says, referring to mistakes and possibly bungled activities that potentially led to the privacy breach impacting the Aetna health plan members in the mailing. "Why would anyone even consider sending HIV-related information in windowed envelopes? 'HIV notices' and 'window envelopes' shouldn't be said in the same breath."
Wu says the allegation by KCC that Gibson Dunn sent the PHI of Aetna plan members to KCC via unencrypted email doesn't appear to be relevant in the actual privacy breach involving the paper mailing.
"However, the unencrypted email could very well trigger an investigation by the Office for Civil Rights," the Department of Health and Human Services' agency that enforces HIPAA, Wu notes.
Vendor Management Lessons
Holtzman says the legal saga involving Aetna, Gibson Dunn and KCC in the breach-related case is complex, but some lessons in vendor management are emerging.
"Good vendor management practices call for a covered entity to work with their contractors to employ a risk based strategy to assess the potential for compromise of data," he says. "The approach is the same whether developing patching and updating to information system applications or when designing the production and mailing of PHI. Many organizations take special precautions when handling PHI that contain sensitive personal information like a person's HIV status."
Whether an organization is preparing a single letter for mailing or hiring a contractor to produce and send materials to a large number of people, there must be a quality control process in the design, production and delivery of the finished product, Holtzman says.
"It is a best practice to develop a quality control checklist to help ensure that the ... document can be produced in way that fits into the finished mailing package - for example, the window envelope - and that any data processing in the production of the document is checked to ensure the output allows for any PHI to be kept confidential," Holtzman says. It's also important to conduct a "final quality assurance check to physically inspect the document is stuffed into its envelope in such a way to make sure that only the recipient's name and address is showing."
Aetna, Gibson Dunn and KCC did not immediately respond to Information Security Media Group's requests for comment.