The Department of Health and Human Services’ Office for Civil Rights (OCR) announced Wednesday that the settlement covers a series of HIPAA violations dating back to 2017, including a high-profile case in which the HIV status of thousands of members was exposed.
In August 2017, Aetna reported that in late July benefit notices were mailed to thousands of members using window envelopes. Members complained that in the window of the envelope “HIV medication” was visible beneath their name and address.
Aetna found that 11,887 people were affected by this breach. Aetna paid out a $17 million settlement as part of a class-action lawsuit over the incident and also paid nearly $650,000 to resolve state investigations into the matter.
“When individuals contract for health insurance, they expect plans to keep their medical information safe from public exposure. Unfortunately, Aetna’s failure to follow the HIPAA Rules resulted in three breaches in a six-month period, leading to this million dollar settlement,” said OCR Director Roger Severino in a statement.
Mike DeAngelis, a spokesperson for Aetna’s parent company CVS Health, said in a statement to Fierce Healthcare that the insurer has “since updated our processes and procedures to further protect member information and are working cooperatively with OCR to further enhance our policies related to privacy and security.”
“Protecting our members’ privacy is a responsibility we take very seriously. We’ve entered into a settlement agreement with the Office for Civil Rights related to incidents that occurred in 2017, during which personal health information was inadvertently exposed,” DeAngelis said. “These incidents occurred prior to Aetna becoming part of CVS Health, and did not involve any of the company’s other businesses.”
RELATED: What HIPAA law? Study finds future healthcare employees would consider violating privacy laws for cash
In June 2017, Aetna found that a platform it used to display “plan-related documents” to its members was accessible without a login and was therefore indexable by search engines. About 5,002 people were affected by the breach, which included their names, insurance member numbers, claims amounts and dates of health service.
Thirdly, in November 2017, Aetna reported to OCR that a mailer it sent out to plan members about a research study included the name and logo of the study on the envelope, outing their participation. About 1,600 members were affected.
OCR also found that Aetna failed to perform periodic evaluation on the effect of operational changes on the safety and security of member’s electronic protected health information, and the insurer failed to implement procedures to verify the identity of people seeking access to such information.
In addition, OCR’s investigation found that Aetna failed to limit disclosures of protected health information to the minimum necessary and did not have in place appropriate safeguards to protect the privacy of that information.
In addition to the financial settlement, Aetna has agreed to a corrective action plan in which it will be monitored for two years, OCR said.