[BreachExchange] $17.2 Million Settlement for Breach Case Involving HIV Info

[Audrey McNeil]

https://www.databreachtoday.com/172-million-settlement-
for-breach-case-involving-hiv-info-a-10599

A mailing error can have huge consequences. Case in point: Aetna has agreed
to a nearly $17.2 million settlement of a class action lawsuit filed in the
wake of a July 2017 data breach involving HIV drug information being
visible through envelope windows on thousands of letters mailed to members
of the company's pharmacy benefits plans.

The settlement is a reminder about the importance of properly safeguarding
all protected health information, especially sensitive data - whether in
paper or electronic form.

Ronda Goldfein, executive director of the AIDS Law Project Pennsylvania,
which filed the suit last year against Aetna jointly with the Legal Action
Center and law firm Berger & Montague P.C. on behalf of the affected
individuals, tells Information Security Media Group that the insurer had
appeared to have taken the case "quite seriously" and "negotiated in good
faith."

The federal court still needs to grant preliminary approval of the
settlement reached between the plaintiffs and Aetna, she says.

Other entities need to learn from this case, Goldfein adds. "If they hold
confidential health information, they have to be thoughtful about how they
handle and transfer that information," she says. "They need to be mindful
of the devastating consequences to individuals if not handled properly.
Some people have sustained tremendous loss due to their [HIV] status being
disclosed [by the mailing] ... including loss of their homes and
relationships."

The July 2017 mailing was done by a third-party company that was not named
as a defendant in the suit.

Case Details

A joint statement by the plaintiffs' representatives notes the case alleged
that Aetna improperly transmitted to its legal counsel and a mail vendor
the names of 13,487 customers who had been prescribed HIV medications and
that large transparent window envelopes revealing confidential HIV-related
information were sent to 11,875 of them.

Aetna, in a statement provided to ISMG, says, "Through our outreach
efforts, immediate relief program and this settlement, we have worked to
address the potential impact to members following this unfortunate
incident. In addition, we are implementing measures designed to ensure
something like this does not happen again as part of our commitment to best
practices in protecting sensitive health information."

Under the terms of the proposed settlement, Aetna has agreed to pay nearly
$17.2 million to resolve the claims. "All settlement class members will
automatically receive a base payment of either $75 to those whose protected
health information was allegedly improperly disclosed by Aetna to its legal
counsel and mail vendor, or at least $500 - inclusive of the $75 payment
above - to those whose privacy was breached by the large-windowed envelope,
whichever is applicable," says a statement issued by the plaintiffs.

"In addition, settlement class members whose privacy was breached by the
large-windowed envelope ... have the opportunity to seek additional
monetary relief through the filing of a claim form documenting financial or
nonfinancial harm."

Privacy attorney David Holtzman, vice president of compliance at the
security consultancy CynergisTek, says he believes that Aetna likely
decided it was in the company's best interest to settle the matter "at what
it considered to be a reasonable discount to the estimated cost of actual
damages and litigation expense" the company could incur.

"Liability for actions that caused the unauthorized disclosures would be
difficult to dispute," he says. "The information disclosed was of a type
that was specially protected by a number of states in which the disclosures
occurred, meaning individuals would have the right to sue for damages. And
there were a number of individuals who alleged they could demonstrate
actual, significant harm suffered as a result of the disclosures."

Sensitive Health Data Breaches

Privacy attorney Adam Greene of the law firm Davis Wright Tremaine says the
breach offers an important lesson for covered entities and business
associates involving paper mailings of confidential patient information.

"If an envelope window is misaligned and reveals patient information,
Murphy's Law suggests that the revealed patient information will end up
being especially sensitive, such as HIV information," he says.
"Accordingly, organizations should audit their systems, such as mailing
systems, to prepare for and avert such problems."

Breaches involving sensitive health information also appear to be a
sticking point with federal and state regulators.

For instance, the U.S. Department of Health and Human Services' Office for
Civil Rights last May issued a resolution agreement including a corrective
action plan and $387,000 settlement with St. Luke's-Roosevelt Hospital
Center in New York in a breach case affecting only two patients and
involving what OCR called, "careless handling of HIV information' (see Big
Settlement in Privacy Care Involving 2 Patients, HIV Data).

In that case, OCR says a hospital worker in 2014 impermissibly faxed a
patient's PHI, including HIV status, to the individual's employer rather
than sending it to the requested personal post office box.

In an even bigger settlement for a breach of sensitive information, OCR in
2011 signed a resolution agreement that included a $1 million payment by
Massachusetts General Hospitalfor an incident involving a hospital worker
who left behind on a train papers containing HIV information for 192
patients.

In another mailing-related breach, California's state attorney general in
2014 issued a $150,000 fine against health insurer Anthem in a case
involving the mailings in 2011 and 2012 of almost 34,000 letters printed
with the Social Security numbers of certain members viewable through the
envelopes' windows.

Holtzman says regulators are also likely to scrutinize the Aetna privacy
breach. "I believe it is likely that OCR and state attorneys general will
take a careful look at the process and procedures of the organizations
involved in this incident," he says.

"An inquiry would look into what policies and procedure were in place to
handle the production and mailing of documents containing sensitive
personal information, including the business associate agreements required
under the HIPAA Privacy Rule; whether the policies and procedures were
followed in the production and mailing of these letters; and whether the
individuals affected by the unauthorized disclosures were provided the
notifications required by federal and state law."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180119/6ee4b8b8/attachment.html>