Note: This post contains a press release from the D.C. Attorney General’s Office. The monetary penalty amount cited, $175,000.00, only applies to D.C. Separately, New Jersey announced that it settled with Aetna for $365,000.
Aetna’s only statement, e-mailed to us, reads:
Through our outreach efforts, immediate relief program and recent settlements we have worked to address the potential impact to members following this unfortunate incident. In addition, we are implementing measures designed to ensure something like this does not happen again as part of our commitment to best practices in protecting sensitive health information.
We have reached out to Washington and Connecticut to request copies of their settlements or statements and will update this post if we receive them.
Update 1: Connecticut provided this site with a copy of the assurance of voluntary compliance signed by Aetna, which includes a $99,959.00 monetary penalty. D.C.’s assurance of voluntary compliance by Aetna can be found off-site at http://oag.dc.gov/sites/default/files/2018-10/Aetna-AVC-10-10-18_0.pdf, and New Jersey’s can be found at https://www.nj.gov/oag/newsreleases18/AetnaAVC.pdf. We will post Washington’s when it’s obtained.
October 10, 2018
Aetna to Pay $175K for Mishandling Health Information, 380+ District Residents Affected
WASHINGTON, D.C. – Attorney General Karl A. Racine today announced that the District of Columbia has reached a settlement with Aetna, Inc., resolving a multi-state investigation into the company’s mishandling of protected health information and improper disclosures of patients’ HIV status. The multistate investigation found that Aetna revealed consumers’ HIV status by mailing notices in envelopes with large transparent windows that allowed the words “HIV Medications” to be seen in the enclosed document. This disclosure affected up to 12,000 consumers nationwide, including 388 District residents. In January 2018, Aetna settled a class action lawsuit that required it to pay $17 million in relief to harmed consumers. Today’s settlement requires Aetna to change its procedures for handling health information to prevent future disclosures and pay a $175,000 penalty to the District.
“Aetna failed to protect the health information of District residents and illegally disclosed their HIV status,” said Attorney General Racine. “Every patient should feel confident that their insurance company or health provider will safeguard their confidential medical information. Today’s action will prevent further disclosures and warns other insurance companies that they are responsible for protecting consumers’ private information.”
Aetna, Inc., headquartered in Hartford, Connecticut, is a company that offers health insurance plans and services. Specifically, Aetna provides health care, dental, pharmacy, group life, disability, and long-term care insurance and employee benefits to over 38 million people.
An estimated 1.1 million Americans live with HIV, a virus that causes AIDS, an immune system disorder. HIV is now a treatable, chronic condition and people with HIV can live long and full lives. However, many people living with HIV or AIDS continue to experience stigma and discrimination. An unauthorized or otherwise improper disclosure of a person’s HIV or AIDS status can result in the denial of health care, poor treatment at school or at work, and other collateral consequences.
In July of 2017, Aetna mailed notices to approximately 12,000 consumers designated to receive HIV medications, including 388 District residents. The notices detailed options for purchasing their medications at brick-and-mortar pharmacies or online. They were mailed in envelopes with large transparent plastic windows that allowed the consumers’ names and addresses to be seen along with the words “HIV Medications” through the envelope’s window.
The District alleged that this improper disclosure of private health information violates the federal Health Insurance Portability and Accountability Act (HIPAA), which protects the privacy of health information laws, as well as the District’s Consumer Protection Procedures Act. Specifically, the District alleged that Aetna:
- Failed to protect consumers’ confidential health information: Aetna improperly disclosed the protected health information of 388 District consumers by mailing notices that in many instances allowed anyone who viewed the envelope to learn the consumer’s name, address, and information about their HIV status. Similarly, in September 2017, Aetna mailed a notice to 10 District residents with atrial fibrillation which had information about the heart condition on the outside of the envelope.
- Deceived consumers about the company’s ability to safeguard their health information: Aetna made representations to consumers that it would keep medical information confidential as required by law, and that it had strong safeguards in place to protect information and prevent disclosures. The District of Columbia alleges that the claims regarding the privacy of consumers’ protected health information were misleading to consumers.
As part of the settlement with the District of Columbia, Aetna is required to:
- Adopt new policies to safeguard consumers’ private health information: Aetna must implement policies and procedures that protect the health information of consumers and comply with HIPAA’s privacy and security rules. Aetna must also accurately inform consumers about its policies and procedures concerning the collection, storage and dissemination of personal information.
- Modify procedures for sending mailings to consumers: Aetna will modify its procedures related to print mailings to consumers and adopt best practices for protecting health information. They will use only the minimum necessary consumer information when sending mailings, require a strict review and approval process for any mailings containing private information, require approval of anything printed on an envelope, and in some instances require a cover sheet in mailings to further protect private information.
- Hire independent consultants to monitor privacy compliance: Aetna will appoint an independent consultant with expertise in healthcare privacy to monitor compliance with federal and state privacy protections and compliance with the terms of the settlement. The consultant will review their privacy policies and procedures for handling private health information and provide ongoing monitoring and reports to the Office of the Attorney General over the next two years.
- Pay a $175,000 fine to the District: Aetna will pay a $175,000 civil penalty to the District of Columbia.
Aetna previously settled a class action lawsuit that required it to pay $17 million to those affected. Aetna also set up an immediate relief program designed to address the emergency needs of consumers who were harmed. The states of Connecticut, Washington, and New Jersey also reached similar settlements with Aetna today.
A copy of the settlement agreement is available at: http://oag.dc.gov/sites/default/files/2018-10/Aetna-AVC-10-10-18_0.pdf
Resources to Protect Your Personal Information
If you believe that your personal information or your private health information has been compromised in some way, report it to OAG’s Office of Consumer Protection by calling our Consumer Protection Hotline at 202-442-9828 or submit a complaint online on our Consumer Protection Page. For more information on how to protect your personal information, read our online privacy and identity theft consumer protection resources.
Source: D.C. Attorney General Karl A. Racine