Just days after Aetna was hit with a lawsuit tied to a similar incident, CVS Health says it has halted mailings that inadvertently made a reference to HIV visible through a window in the envelope.
The incident occurred when the company’s pharmacy benefits management arm, CVS Caremark, mailed pharmacy benefit information to approximately 4,000 members of one of its clients, Ohio’s AIDS Drug Assistance Program, according to a statement from CVS Health. The mailings included a reference code for the assistance program—PM 6402 HIV—which was visible within the clear envelope window.
While CVS said the code was intended to refer to the name of the program, not the recipients' health status, it immediately halted the mailings as soon as it learned of the incident. The company also said it is taking steps to eliminate referencing that plan name in any future mailings.
“CVS Health places the highest priority on protecting the privacy of our patients and we take our responsibility to safeguard confidential patient information very seriously,” the statement said.
Still, AIDS activist Eddie Hamilton told the Washington Blade that he has filed a complaint about the mailing to the Department of Health and Human Services’ Office of Civil Rights (OCR).
The CVS incident came to light in the same week that a Philadelphia law firm filed a class-action suit against Aetna for its own privacy breach. In that incident, Aetna sent a letter to approximately 12,000 members that contained instructions for filling prescriptions for HIV medication—which in some cases was visible through a window in the envelope.
Two legal advocacy groups have said consumers told them the mailings seen by family members, roommates and neighbors of Aetna members, noting that disclosing a person’s HIV status risks exposing them to “violence, discrimination and other trauma.”
Aetna sent a letter in the third week of August to affected members notifying them of the breach, which it said it first learned about July 31. The insurer also said it is “undertaking a full review of our processes to ensure something like this never happens again.”
Further, Aetna has reported the incident to the OCR. Healthcare organizations are required to report privacy breaches that affect more than 500 individuals within 60 days of discovery.