Aetna Hit With More Penalties for Two BreachesCases Involved Mailings That Potentially Exposed Sensitive Health Information
Health insurer Aetna is still paying the price for two 2017 privacy breaches involving mailings that potentially exposed HIV and cardiac condition information about thousands of individuals.
After a multistate investigation, Aetna last week signed financial settlement agreements with Washington, D.C., for $175,000, Connecticut for $100,000 and New Jersey for $365,000. The amount of another new settlement with the state of Washington was undisclosed.
New Jersey Attorney General Gurbir Grewa says the states investigating the incidents alleged that Aetna not only violated HIPAA but also state laws pertaining to the protected health information of individuals in general, and of persons with AIDS or HIV infection in particular.
Another Legal Dispute
Following those January settlements, Aetna filed its own lawsuit against Kurtzman Carson Consultants, a class action settlement administrator, which Aetna says directed the July 2017 mailing to health plan members in several states in which HIV medication information was visible through windowed envelopes (see Another Twist in Messy Aetna Privacy Breach Case).
A second incident, which occurred in September 2017, involved a mailing sent to 1,600 individuals concerning a study of patients with atrial fibrillation, or AFib. The envelopes included the name and logo for the study - "IMPACT AFib" - which could have been interpreted as indicating that the addressee had an AFib diagnosis.
"Every patient should feel confident that their insurance company or health provider will safeguard their confidential medical information," says Karl Racine, Washington, D.C.'s attorney general. The settlements, he says, "will prevent further disclosures and warns other insurance companies that they are responsible for protecting consumers' private information."
Under the terms of the settlements, Aetna will put in place policy, protocol and training reforms designed to safeguard individuals' protected health information and ensure the confidentiality of mailings containing that information, Grewa says.
The insurer also will hire an independent consultant to evaluate and report on its privacy protection practices and monitor its compliance with the settlement's injunctive terms, he notes.
Lessons to Learn
The incidents at the center of the settlements offer important lessons about the handling sensitive health information.
"Whether an organization is preparing a single letter for mailing or hiring a contractor to produce and send materials to a large mailing number of people, there must be a quality control process in the design, production and delivery of the finished product," notes privacy attorney David Holtzman, vice president of compliance at security consultancy CynergisTek.
"It is a best practice to develop a quality control checklist to help ensure that the document can be produced in a way that it fits into the finished mailing package - for example, the window envelope - and ensure that any data processing in the production of the document is checked to ensure the output allows for any PHI to be kept confidential," he says.
Another essential step, he adds, is to conduct a final quality assurance check to inspect how the document is stuffed into its envelope to make sure that only the recipient's name and address is showing.
Healthcare organizations and their vendors should employ a risk-based strategy to assess the potential for compromise of data when designing the production and mailing of documents containing PHI, Holtzman says.
"Many organizations take special precautions when producing and mailing documents that contain sensitive personal information like a person's HIV status. For example, some organizations will produce a cover page containing only the addressing information that faces through the window of the envelope. Other organizations will not use window envelopes in the mailing of correspondence that includes sensitive PHI."
In the recent multistate investigation, the state attorneys general examined the policies and procedures in place to handle the production and mailing of documents containing sensitive personal information, Holtzman notes. That included whether there were business associate agreements in place, as required under the HIPAA Privacy Rule, whether the policies and procedures were followed in the production and mailing of these letters, and whether the individuals affected by the unauthorized disclosures provided the notifications required by federal and state law.
The disclosure of Aetna's latest settlements came the same week as the U.S. Department of Justice granted preliminary approval the proposed $69 billion merger of Aetna and CVS Health Corp.
While the DoJ approval of the merger includes the companies meeting certain conditions, including the divesture of Aetna's Medicare Part D prescription drug plan business for individuals, Aetna's latest state AG settlements "were not connected to the DoJ process or CVS merger in any way," an Aetna spokesman tells Information Security Media Group.
"Through our outreach efforts, immediate relief program and recent settlements, we have worked to address the potential impact to members following this unfortunate incident," Aetna says. "In addition, we are implementing measures designed to ensure something like this does not happen again as part of our commitment to best practices in protecting sensitive health information."