Skip to content ↓ | Skip to navigation ↓

Aetna has agreed to pay $17 million as part of a settlement agreement for a breach that might have compromised thousands of HIV patients’ privacy.

On 16 January, the United States District Court for the Eastern District Court of Pennsylvania received a proposed settlement agreement (PDF). The arrangement stipulates that Aetna, Inc., Aetna Life Insurance Company, and Aetna Specialty Pharmacy, LLC will pay $17,161,200 to resolve the privacy breach claims of customers from 23 states. They will use those funds to send at least $500 to anyone affected by the incident as well as $75 to approximately 1,600 additional customers whose health information Aetna’s legal counsel and mail vendor might have accessed in some way.

The disclosure occurred on 28 July 2017 when the American managed health care company sent out letters to 12,000 of its customers who had filled prescriptions for HIV. Aetna conduct the mailing using a vendor, a third party which sent each patient a notice inside a window envelope. The type of envelope chosen by the vendor sometimes allowed the recipient’s personal health information (PHI), including their HIV diagnosis, to shift into view, thereby compromising their privacy.

An Aetna mailer in which a reference to HIV medication is partly visible though the envelope window.

As reported by NPR, the AIDS Law Project of Pennsylvania and the Legal Action Center issued a demand letter in late August demanding that Aetna stop the mailing. The health care company responded by setting up a relief program for affected patients in October. But upon learning of the scale of the mailing and its effect on patients’ privacy, the two organizations along with Berger & Montague PC filed a class-action lawsuit.

Aetna is pleased by the settlement agreement, which responds to that same lawsuit. As it told CNN in a statement:

Through our outreach efforts, immediate relief program and this settlement we have worked to address the potential impact to members following this unfortunate incident. In addition, we are implementing measures designed to ensure something like this does not happen again as part of our commitment to best practices in protecting sensitive health information.

Towards that end, Aetna has created a “best practices” document and set up protocols to help better secure its electronic medical record systems along with its patients’ PHI.

This settlement agreement currently requires court approval.