No hackers here—just a lack of attention to detail.
Insurance giant Aetna is now the subject of a class-action lawsuit after the HIV statuses of 12,000 patients were revealed in a mass mailer. At issue is the use of a large-window envelope through which sensitive information could be read.
Legal groups on Monday filed a class-action lawsuit […] alleging the company violated the privacy of its customers by sending many of them letters through which the phrase “filling prescriptions for HIV” was visible through envelope windows.
Aetna was notified of the situation on July 31, after which it mailed a letter notifying patients of the breach of their privacy. The letter offered an apology to customers and called the mistake “unacceptable” in hopes to “earn back” their trust.
This latest error was triggered by Aetna’s response to an earlier lawsuit that alleged it was lax in protecting the personal information of HIV patients. FREE DOWNLOAD: The Power of PR in Health Care: Building Trust, Credibility & Reputation
In 2014 and 2015, plaintiffs who had been prescribed HIV medications claimed their privacy rights were being violated by a proposed Aetna requirement that they receive the medications via mail and not in person at pharmacies.
Settlements in those lawsuits required Aetna to pay $24,000 to plaintiffs and to send via mail a notice that “informing them that they were no longer required to order their medications through the mail.”
The insurer then provided a third-party vendor with 12,000 mailing addresses, and the mailings were then sent out using envelopes with large, transparent windows.
The seriousness of the breach is highlighted by the response to the error. Lawyers for the plaintiffs spoke to CNN about the damage done to their clients by the mailing :
“I know of someone who has been kicked out of his home because somebody who saw his envelope learned his HIV status,” said Sally Friedman, legal director of the Legal Action Center, who is coordinating the efforts of attorneys.
People have been devastated. We’ve had a number of people tell us they had chosen not to disclose their HIV status to family members—but this is how their family members found out.
At fault may have been the choice to use a third-party mailer to send these notices; the lawsuit claims the decision to use the mailers is suspect considering prior privacy complaints.
These actions, the lawsuit said, “carelessly, recklessly, negligently and impermissibly” revealed HIV-related information of Aetna’s current and former members to their “family, friends, roommates, landlords, neighbors, mail carriers and complete strangers.”
The breach was roundly condemned by public officials and HIV rights advocates.
This is an unacceptable breach of privacy, and appears to violate federal and NY laws. I am demanding more information from Aetna. https://t.co/H4kJB5X96F
— Eric Schneiderman (@AGSchneiderman) August 25, 2017
— Coretta | Jackson (@CorettaJackson) August 26, 2017
— Lambda Legal (@LambdaLegal) August 24, 2017
The financial cost of this breach remains unclear, though it promises to be high.
Health care companies often settle health privacy law violation cases with HHS and in some cases pay millions in fines. In May, for example, after an employee at St. Luke’s-Roosevelt Hospital Center Inc. inadvertently disclosed a patient’s HIV status and other medical information to his employer, the provider paid a $378,000 settlement.
In a 2003 interview , HIPAA expert John Fusile noted several concerns for sending HIPAA-compliant mailings.
Providers should pay close attention to the envelopes they use. A patient may not want the mail carrier, spouse, or children, to see an envelope printed with the name of a mammography or colonoscopy clinic on the front, for example. Stamping an envelope confidential may draw unwanted attention.
He conceded that opening mail addressed to another person without consent is “mail fraud,” but he said that is not enough to ensure privacy.
“There is certainly some safe harbor in assuming that mail fraud is a deterrent. But I open the mail for my wife. You need to foresee the risk that somebody else would open it. If it’s particularly confidential, send them a letter saying only, ‘Your test results are in, please contact us.'”
Communicators, do you still use physical mailers? What safeguards do you have in place to avoid a mistake like Aetna’s?