Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)
Alleged HIV Breach Leads to Suit Against CVS, Mailing VendorComplaint Also Alleges CVS Failed to Notify HHS of the Mailing Incident
A class action lawsuit is seeking millions of dollars in damages for plaintiffs after yet another mailing-related health data breach involving sensitive HIV-related information allegedly visible through envelope windows.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
The lawsuit against Caremark and its parent company, CVS, as well as their mailing vendor, Fiserv, was filed March 21 in an Ohio federal court. The complaint alleges that a mailing of letters last year illegally disclosed the HIV status of 6,000 individuals.
The suit also alleges that CVS failed to report the alleged incident as a breach to the U.S. Department of Health and Human Services and to notify affected individuals, as required by HIPAA. Under that regulation, covered entities have 60 days after discovery of a breach affecting 500 or more individuals to report the incident to HHS and notify victims.
As of March 23, the HHS' Office for Civil Rights' HIPAA Breach Reporting Tool website, commonly called the "wall of shame", which lists major breaches, did not include an entry for the alleged breach involving CVS and the Ohio mailing.
The lawsuit comes on the heels of several other recent breach cases involving protected health information being visible though the transparent windows of mailing envelopes.
Coincidentally, one such case involves health plan Aetna, which CVS has proposed to acquire (see Aetna Breach Case Gets Messier).
The Lawsuit's Allegations
The complaint in the CVS Caremark case says the company entered into an agreement effective July 2017 with the state of Ohio to operate as the pharmacy benefits manager for the Ohio HIV Drug Assistance Program, or OhDAP.
The suit says that under that state contract, CVS provides OhDAP-eligible clients with HIV medications and is responsible for communications with participants relating to such drugs.
CVS entered a contract with technology services firm Fiserv to mail information to thousands of individuals throughout Ohio, including the HIV-related mailings at the center of the alleged breach case, according to the suit.
Beginning in late July or early August 2017, "defendants mailed a letter containing membership cards and information about the CVS program and how persons would access their HIV-related prescriptions," the complaint alleges.
"This letter was mailed to an estimated 6,000 participants in OhDAP, regardless of whether they were active pharmacy customers of CVS," the suit says. The envelopes containing these mailings had two "clear glassine windows" from which the recipient's HIV status was plainly visible through one of the windows, the suit alleges.
"Defendants either knew or reasonably should have known that this mailing was disseminated in violation of both federal and state laws," the lawsuit states.
The complaint alleges that the use of envelopes with transparent windows "violates the standard practice" of the Ohio Department of Health, which requires all mailings relating to HIV-related issues be sent in in opaque, non-windowed envelopes.
"Defendants either knew or reasonably should have known that this mailing was disseminated in violation of both federal and state laws," the complaint says.
Failure to Notify?
The complaint alleges the defendants' actions have "a great probability of causing substantial harm" to the individuals whose HIV status was visible to others in the mailing.
Also, "CVS hampered efforts to remediate the damage by failing to notify affected individuals and HHS," the suit alleges.
The complaint notes that a plaintiff attorney "sent CVS a letter months ago advising CVS that it had violated HIPAA, asking for verification of the corrective measures that CVS had taken to ensure that breaches will not happen in the future, and demanding that CVS notify the affected individuals."
The suit alleges that CVS's chief privacy officer acknowledged receipt of the letter and stated that CVS was investigating this claim. "Yet CVS did not communicate further or notify the affected individuals or HHS of this breach," according to the suit.
Among the claims, the suit alleges "unauthorized, unprivileged disclosure to a third-party of nonpublic medical information" as well as violations of Ohio state laws.
Plaintiffs are seeking compensatory and punitive damages, which could potentially exceed $5 million, as well as reasonable costs and attorneys' fees.
In a statement provided to Information Security Media Group, CVS says it "places the highest priority on protecting the privacy of those we serve, and we take our responsibility to safeguard confidential information very seriously."
The statement adds: "Last year, as part of a CVS Caremark benefits mailing to members of an Ohio client, a reference code for an assistance program was visible within the envelope window. This reference code was intended to refer to the name of the program and not to the recipient's health status," the company says. "As soon as we learned of this incident, we immediately took steps to eliminate the reference code to the plan name in any future mailings. We have no further comment due to the pending litigation."
Fiserv did not immediately respond to ISMG's request for comment.
Some breaches involving the unauthorized disclosure of HIV information have ended up costing organizations hefty settlements, as well as fines by federal or state regulators.
For instance, the 2017 breach case involving Aetna's mailing of HIV-related information to 12,000 individuals has already cost health insurer Aetna about $20 million in legal settlements. The insurer settled for a class action lawsuit for $17.2 million settlement and paid a $1.15 million fine as part of an enforcement action by New York state's attorney general.
Aetna recently filed a lawsuit against Kurtzman Carson Consultants, the company that the insurer says directed the 2017 mailing to the health plan members in which the HIV drug information was visible through windowed envelopes.
And in another recent HIV-related breach case, OCR in May 2017 slapped St. Luke's-Roosevelt Hospital Center in New York with a $387,000 penalty and corrective action plan to settle a case impacting only two patients and involving the hospital's "careless handling of HIV information," according to the federal agency (see Big Settlement in Privacy Case Involving 2 Patients' HIV Data).