Skip to content ↓ | Skip to navigation ↓

A health insurer has set up a program to provide immediate relief to victims of an incident that disclosed patients’ personal health information (PHI).

In early October 2017, American managed health care company Aetna announced the relief program. Through this framework, it will reimburse individuals who suffered financial hardship as a result of the security incident. It will also offer counseling services to affected individuals and their families, reports

The PHI disclosure occurred on 28 July 2017 when Aetna sent letters to about 12,000 of its customers informing them of changes to their received healthcare services. In some cases, the contents of those letters were readable from within their sealed envelopes. That’s because a vendor responsible for the mailing used a window envelope, which means a patient’s PHI sometimes shifted into view.

The managed health care company explains what information the incident might have exposed in a breach notification letter (PDF) sent out to affected customers:

“The information displayed in the envelope ’s window was your first name, last name, address, and in some cases, a reference to filling prescriptions for [certain] medications. The viewable information did not include the name of any particular medication or any statement that you have been diagnosed with a specific condition. Your Social Security number, bank account information and credit card information were not included in the letter.”

Even so, the envelope window did in at least some cases reveal patients’ HIV status. Here’s a picture of one of the envelopes:

An Aetna mailer in which a reference to HIV medication is partly visible though the envelope window.

Those affected by the privacy breach can enroll in Aetna’s relief program by clicking here. They can also contact AIDS Law Project of Pennsylvania at 215-587-9377 or the Legal Action Center (New York residents only) at 212-243-1313 if they would like to file a request for financial reimbursement. In so doing, they will not release any legal claims.

News of this PHI disclosure relief program follows a few months after the University of Iowa Health Care (UIHC) notified thousands of patients of a data breach that exposed their personal and medical information.