Aetna files $17 million settlement over low-tech privacy breach

[Cal Jeffrey]

Nowadays when we hear of a data breach, we think of hackers getting into a database and releasing private information, or a company posting customer information on their website without proper security measures in place. However, not all data outings involve hacking or IT incompetence. Sometimes information leaks come in a low-tech package.

Last week Aetna agreed to pay a $17 million settlement for compromising thousands of HIV patients’ medical information. The cause of the data leak was the over-sized envelope window used to send out HIV medication notification letters to clients in 23 states.

Back on July 28, 2017, the health insurance giant sent out nearly 12,000 letters to customers who had filled prescriptions for HIV medications. Rather than using an in-house mailing department, Aetna outsourced the task.

The outside vendor chose to send the letters in envelopes with large, clear windows to display the patient’s address. Unfortunately, the windows were so large that they also revealed personal health information (PHI) including the HIV diagnosis.

The AIDS Law Project of Pennsylvania and the Legal Action Center immediately issued a demand letter to halt the mailings. In the meantime, Aetna had set up a relief effort to those affected. However, the two groups still filed a class-action lawsuit in United States District Court for the Eastern District of Pennsylvania on behalf of the 11,875 affected clients. Aetna promptly settled out of court for $17,161,200 and issued a statement via NPR.

“Through our outreach efforts, immediate relief program and this settlement we have worked to address the potential impact to members following this unfortunate incident. In addition, we are implementing measures designed to ensure something like this does not happen again as part of our commitment to best practices in protecting sensitive health information.”

The agreement sets aside $12 million to award $500 to those affected by the breach. Those who suffered additional financial and emotional distress can file for and claim up to $20,000 from the fund. There is also another group of about 1,600 who will receive $75 for having their PHI exposed to the mail vendor and Aetna’s legal counsel. The remainder of the settlement will go towards lawyer fees and legal expenses.

The settlement is still pending approval from the court, but that is just a formality.

Lead Image by Jessica Hill/AP, Body Image via WHYY

Permalink to story.

https://www.techspot.com/news/72870-aetna-files-17-million-settlement-over-low-tech.html

 

[ShagnWagn]

It is not ok for others around to know you have a life threatening virus flowing through your blood? I sincerely hope I would not contract it if they infect me from trying to save their life. Is it ok for me to know I am a carrier of the ebola virus and not tell anyone? If I am sick from even a cold that someone I am around can catch, I let them know.

 

[Cal Jeffrey]

It is not ok for others around to know you have a life threatening virus flowing through your blood? I sincerely hope I would not contract it if they infect me from trying to save their life. Is it ok for me to know I am a carrier of the ebola virus and not tell anyone? If I am sick from even a cold that someone I am around can catch, I let them know.

Has nothing to do with that. Aetna breached HIPAA. Well technically their vendor did, but they are the responsible party. Medical records are not public information and they are protected by HIPAA in the United States no matter what those records indicate they cannot be publicly revealed without consent. Actually they can't even be privately revealed without consent.

 

[ShagnWagn]

Has nothing to do with that. Aetna breached HIPAA. Well technically their vendor did, but they are the responsible party. Medical records are not public information and they are protected by HIPAA in the United States no matter what those records indicate they cannot be publicly revealed without consent. Actually they can't even be privately revealed without consent.

I used to work in the healthcare industry for several years. I understand about privacy. I'm just saying that if they are carrying something around that is fatal and can be transmitted to another person, there should be some sort of responsibility for them to let others know they could die. That is just me though. Just like if you have herpes or genital warts (I do not believe they are fatal), but it is your responsibility.

 

[Cal Jeffrey]

I used to work in the healthcare industry for several years. I understand about privacy. I'm just saying that if they are carrying something around that is fatal and can be transmitted to another person, there should be some sort of responsibility for them to let others know they could die. That is just me though. Just like if you have herpes or genital warts (I do not believe they are fatal), but it is your responsibility.

Agreed, but as you say it is THEIR responsibility. Trust me I'm totally with you, but I'm not for a health provider going, "Hey, this dude has <insert ailment here fatal or otherwise>" to the public. It's a fine line. Of course I want to know this stuff if I'm going to be put into a position of contracting, and in most cases, you are allowed to know. But I don't need to know if my next door neighbor has xyz unless I plan on boinking her, in which case I take precautions until I am for sure it's safe. Nobody gets AIDS from getting sneezed on.

 

[ShagnWagn]

Agreed, but as you say it is THEIR responsibility. Trust me I'm totally with you, but I'm not for a health provider going, "Hey, this dude has <insert ailment here fatal or otherwise>" to the public. It's a fine line. Of course I want to know this stuff if I'm going to be put into a position of contracting, and in most cases, you are allowed to know. But I don't need to know if my next door neighbor has xyz unless I plan on boinking her, in which case I take precautions until I am for sure it's safe. Nobody gets AIDS from getting sneezed on.

Agreed. Although it is a threat if they get cut or severely injured (and/or unconscious) and I am unknowingly endangering myself. I personally believe I have a responsibility. Would I rather keep it to myself? Yes, but I feel there is a moral responsibility there.

There is a registry for sex offenders. Even if you were just caught peeing on the side of your own house. It is not even a fatal situation and information is freely available for anyone.