Aetna will pay New York a $1.15M fine tied to HIV privacy breach

Aetna letter
This photo shows a redacted mailing that revealed an Aetna member's HIV status through the window of the envelope, according to an advocacy group. (Legal Action Center)

Aetna, which will already pay $17 million to settle a privacy-breach lawsuit, has also agreed to pay a $1.15 million fine to the state of New York.

Both settlements concern the same incident: a mailing the insurer sent to about 12,000 individuals last summer that revealed their HIV status through a clear window in the envelope.

The incident prompted a class-action lawsuit filed by people who said they suffered harm when their family, roommates, neighbors, landlords or even complete strangers saw the letters. Aetna and the plaintiffs in that case agreed to a settlement last week, and now the insurer has also settled (PDF) an investigation launched by New York Attorney General Eric Schneiderman.

Schneiderman noted that while investigating the HIV mailing, his office discovered an additional privacy beach involving mailings sent to Aetna members with atrial fibrillation.

After Schneiderman’s investigation concluded, Aetna agreed to pay a $1.15 million civil penalty and take steps to improve how it handles personal health information and personally identifiable information in mailings. The company will also hire an independent consultant to monitor its policies and procedures for protecting members’ privacy.

“Through its own carelessness, Aetna blatantly violated its promise to safeguard members’ private health information,” Schneiderman said in a statement. “Health insurance companies handle personal health information on a daily basis and have a fundamental responsibility to be vigilant in protecting their members.”

Before reaching settlements with the plaintiffs in the class-action suit and with New York, Aetna coordinated with two advocacy organizations to offer “immediate relief” to those affected by the HIV privacy breach. That included reimbursing individuals who claimed financial hardship due to the breach and offering counseling services for affected individuals and their families.

“Through our outreach efforts, immediate relief program and recent settlements, we have worked to address the potential impact to members following this unfortunate incident,” an Aetna spokesman told FierceHealthcare. “In addition, we are implementing measures designed to ensure something like this does not happen again as part of our commitment to best practices in protecting sensitive health information.”

Aetna is not the only insurer to have faced legal action due to a privacy breach. In June, Anthem agreed to pay $115 million to settle a class-action lawsuit tied to a 2015 data breach that exposed nearly 80 million patient records. And CareFirst is asking the Supreme Court to review an appeals court decision that allowed members to move forward with a lawsuit concerning a 2014 data breach.