Aetna Inc. has agreed to settle allegations that it improperly disclosed the protected health information of thousands of Americans, including hundreds of New Jersey residents, New Jersey Attorney General Gurbir Grewal announced earlier this month.
Aetna has agreed to pay the state a penalty of about $365,000. The company will also hire an independent consultant to evaluate and report on its privacy protection practices and monitor its compliance with the settlement, officials said.
A multistate investigation found that, in July 2017, Aetna inadvertently disclosed the names, addresses and conditions of thousands of HIV patients nationwide, and about 650 New Jersey residents, when glassine envelopes sent through the mail by a third party revealed too much information.
Aetna later sued the claims administrator that handled the mailings for negligence. The administrator in turn sued Aetna, charging that the insurer had committed negligence and breach of contract.
A second breach occurred in September. In that breach, a mailing sent to 1,600 people for a study of patients with the heart condition atrial fibrillation revealed the name and logo of the study—IMPACT-AFib—which could have been interpreted as meaning that the addressee had an AFib diagnosis, according to the New Jersey attorney general’s office.
New Jersey and the other states involved in the investigation — Connecticut, Washington and the District of Columbia — alleged that Aetna violated the federal Health Insurance Portability and Accountability Act (HIPAA) and state health information protection laws.
The breach involving the HIV patients spawned a class-action lawsuit brought on behalf of current and former Aetna customers taking medication either to treat HIV or to prevent the possibility that exposure to the virus might lead to HIV.
A family member of the lead plaintiff in the case found one of the envelopes. The information breach forced the lead plaintiff to admit to his family that he had HIV.
Last January, Aetna agreed, pending judicial approval, to pay $17 million to resolve the suit.
“Companies entrusted with individuals’ protected health information have a duty to avoid improper disclosures,” Grewal said in a statement. “Aetna fell short here, potentially subjecting thousands of individuals to the stigma and discrimination that, unfortunately, still may accompany disclosure of their HIV/AIDS status. I am pleased that our investigation has led Aetna to adopt measures to prevent this from happening again.”
An Aetna spokesperson said in an email that the company has worked, through the recent class-action settlement and other measures, to address the potential impact of “this unfortunate incident” on members.
“In addition, we are implementing measures designed to ensure something like this does not happen again as part of our commitment to best practices in protecting sensitive health information,” he said.
— Read CVS Faces Suit Over Mandatory Mail-Order Program, on ThinkAdvisor.