Governance & Risk Management , Privacy
Aetna Mailing Mishap Exposes HIV Drug Information
Up to 12,000 Potentially Affected by Use of 'Window' Envelopes
An incident involving HIV information being potentially visible through envelope windows on thousands of letters mailed to members of Aetna's pharmacy benefits plans is an important reminder that even routine mailings present privacy risks.
See Also: Overcoming Unstructured Data Security and Privacy Choke Points
The incident involves the mailing of pharmacy benefits letters to Aetna plan members in eight states - Arizona, California, Georgia, Illinois, New Jersey, New York, Ohio, Pennsylvania, - plus Washington, D.C.
Two consumer advocacy organizations, the Legal Action Center and the AIDS Law Project of Pennsylvania, issued a statement on the incident and wrote a letter to Aetna demanding action.
The statement says Aetna recently mailed some customers instructions for filling HIV medication prescriptions. "Recipients were stunned when they realized information about HIV medication was clearly visible through the window on the envelope," it notes.
"The letters were sent to individuals currently taking medications for HIV treatment, as well as for "pre-exposure prophylaxis," a regimen that helps prevent a person from acquiring HIV, the statement says.
The statement notes that a "demand letter" was sent to Aetna Thursday by attorneys on behalf of individuals who contacted various advocacy organizations. The attorneys' letter calls for Aetna to immediately stop sending letters in the current form that discloses HIV medication information and also calls on the insurer to develop a plan to correct its practices and procedures. The statement notes that "other legal action" is also under consideration.
Aetna Explains
Aetna tells Information Security Media Group that the mailing went to approximately 12,000 members with information related to accessing medication "potentially" viewable.
In a sample breach notification letter obtained by ISMG, Aetna says the error occurred due to the type of envelopes used by an unnamed vendor handling the mailing. That vendor "used a window envelope, and, in some cases, the letter could have shifted within the envelope in a way that allowed personal health information to be viewable through the window," Aetna notes.
The incident does not yet appear listed on the Department of Health and Human Services' HIPAA Breach Reporting Tool website, commonly called the "wall of shame," which lists health data breaches impacting 500 or more individuals.
An Aetna spokesman tells ISMG that the company is in the process of reporting the incident to regulators and sending notification letters to affected individuals.
Aetna says it first became aware on July 31 that in some cases, personal health information was visible through the window of the envelopes used to send the benefits letter.
"Upon learning of the issue, we took immediate steps to investigate what happened ... On August 2, we determined this incident may have caused a breach of your protected health information," Aetna says in the notification.
The information displayed in the envelope's window included individuals' first name, last name, address, "and in some cases, a reference to filling prescriptions for certain medications," the Aetna notification letter says. "The viewable information did not include the name of any particular medication or any statement that you have been diagnosed with a specific condition. ... Regardless of how this error occurred, it affects our members and it is our responsibility to do our best to make things right. We will work to ensure that proper safeguards are in place to prevent something similar from happening in the future."
Other Cases
This isn't the first health data breach reportable under HIPAA involving mailings - or the first involving HIV-related information being disclosed. Some of those incidents have resulted in stiff enforcement actions by the HHS Office for Civil Rights or state officials.
For instance, OCR in May issued a resolution agreement including a corrective action plan and $387,000 settlement with St. Luke's-Roosevelt Hospital Center in New York in a breach case affecting only two patients and involving what OCR called, "careless handling of HIV information' (see Big Settlement in Privacy Care Involving 2 Patients, HIV Data).
In that case, OCR says a hospital worker in 2014 impermissibly faxed a patient's PHI, including HIV status, to the individual's employer rather than sending it to the requested personal post office box.
In an even bigger settlement for a breach of sensitive information, OCR in 2011 signed a resolution agreement that included a $1 million payment by Massachusetts General Hospital for an incident involving a hospital worker who left behind on a train papers containing HIV information for 192 patients.
States have also stepped in health data breach cases involving mailings. For instance, in 2014, California's state attorney general issued a $150,000 fine against health insurer Anthem in a case involving the mailings in 2011 and 2012 of almost 34,000 letters printed with the Social Security numbers of certain members viewable through the envelopes' windows.
Common Problems?
Breaches involving paper-based PHI, such as mailings, are common, says privacy attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek.
"While much of the attention about protecting health information has focused on electronic health record systems, many treatment and payment communications are done on paper," he notes. "In the case of health insurers and health plans, it is not unusual for these organizations to be required to deliver to patients or beneficiaries written notices about benefits, coverage and how claims for service are paid."
Breaches involving mailings "are usually the result of no one thinking about what is happening - no one looking at the resulting mailing, for example," says privacy attorney Kirk Nahra of the law firm Wiley Rein.
"You would anticipate that all it would take is one person seeing the final product, but it is not clear who would be doing that. Management needs to ask the questions and walk through the process. This kind of a letter - with higher sensitivity in general - should get extra attention. In general, though, it is just another reminder that paper matters and that small things still need attention."
Privacy attorney Adam Greene of the law firm Davis Wright Tremaine notes: "Whether due to human or machine error, mailing mistakes "are a frequent and seemingly inevitable problem," says.
"Organizations should consider building processes around an understanding that mistakes will happen, with a robust auditing process focused on catching those mistakes before they go out the door," he says.
To avoid these kinds of mistakes, Greene says entities should take steps that include "building accountability around checking mass mailings." This includes ensuring that mailings are correctly addressed, information from one patient or plan member is not making it into the next one's envelope, and no PHI is visible from the outside.
"Even with an auditing process, sometimes mistakes will happen and slip through," Greene says. "But showing a robust audit process can help demonstrate reasonable safeguards, which may mean the difference between a voluntary closure and a financial settlement."
Holtzman offers additional advice: "Whether an organization is preparing a single letter for mailing or hiring a contractor to produce and send materials to a large number of people, there must be a procedures to ensure that there is a quality control process in the design, production and delivery of the finished product," he says.
In addition, extra steps can be taken when communications involve highly sensitive information, he notes. "For example, some organizations will produce a cover page containing only the addressing information that faces through the window of the envelope. Other organizations will not use window envelopes in the mailing of correspondence that includes sensitive PHI."
