Aetna Inc. has agreed to settle allegations that it improperly disclosed the protected health information of thousands of Americans, including hundreds of New Jersey residents, New Jersey Attorney General Gurbir Grewal announced earlier this month.
Aetna has agreed to pay the state a penalty of about $365,000. The company will also hire an independent consultant to evaluate and report on its privacy protection practices and monitor its compliance with the settlement, officials said.
A multistate investigation found that, in July 2017, Aetna inadvertently disclosed the names, addresses and conditions of thousands of HIV patients nationwide, and about 650 New Jersey residents, when glassine envelopes sent through the mail by a third party revealed too much information.
Aetna later sued the claims administrator that handled the mailings for negligence. The administrator in turn sued Aetna, charging that the insurer had committed negligence and breach of contract.
A second breach occurred in September. In that breach, a mailing sent to 1,600 people for a study of patients with the heart condition atrial fibrillation revealed the name and logo of the study—IMPACT-AFib—which could have been interpreted as meaning that the addressee had an AFib diagnosis, according to the New Jersey attorney general’s office.
New Jersey and the other states involved in the investigation — Connecticut, Washington and the District of Columbia — alleged that Aetna violated the federal Health Insurance Portability and Accountability Act (HIPAA) and state health information protection laws.
The breach involving the HIV patients spawned a class-action lawsuit brought on behalf of current and former Aetna customers taking medication either to treat HIV or to prevent the possibility that exposure to the virus might lead to HIV.